Skip Ribbon Commands
Skip to main content

Implementation of the EU General Data Protection Regulation

​​​The EU General Data Protection Regulation (GDPR) steps into force on May 25, 2018. The regulation requires all public authorities and private businesses to deploy sufficient IT security for the protection of personal data processed in the organization. Specifically, it requires an assessment of the organization’s security level in relation to privacy. The purpose of the assessment is to identify specific related risks. On this basis, IT security controls shall be designed and implemented in the right places in the organization. 

NNIT Data Protection Framework

To assess the risks associated with processing personal information, it will be necessary to map all relevant business processes, data types, systems and external data providers. The actual assessment of the organization’s data protection level will be carried out only after these data flows have been identified.

NNIT utilizes a Privacy Impact Evaluation tool (PRIME), which maps the data flows, provides an overview of where the most sensitive information is located logically and physically and documents how well they are protected in processes and systems. The tool is tailored to the new requirements and digitalization’s new threats to privacy.

Phase 1: Planning of risk analysis

The PRIME tool is based on interviews with representatives of both the business and IT. The first phase will therefore focus on determining the project scope, as well as identifying and setting up meetings with the relevant employees in the organization.

Phase 2: Risk analysis

The PRIME-tool is based on the international security standards ISO 27005 and  ISO 29100, which includes Best Practice methodology for risk analysis in the field of information security and protection of private infor- mation. We assess the risk of loss of data  to unauthorized persons and the risk that data is changed wrongfully or lost as a  result of IT security breaches.

There is also a vulnerability assessment of the processes and systems where personal data is processed. What checks have already been implemented? Which are missing?

Based on the observations of the risk analysis and the established focus areas, a plan is drawn up of how the identified risks can be mitigated.

The plan may include the following control areas:

  • Processing authorization and proportionality
  • Policies and processes
  • Access control
  • Deletion
  • Encryption
  • Logging
  • Ownership
  • Data processors

Phase 3: Specific proposals for solutions

For every control area that may be found  to be lacking in the risk analysis, NNIT can submit specific implementable solution  proposals.

Phase 4-5: Implementation and maintenance

Thanks to NNIT’s experience as an IT-operating company, we work daily with consultancy and implementation of both technical and organizational IT-security solutions. NNIT also has a line of services to aid you in your journey to GDPR compliance, including Encryption, Logging, Data Access Governance, Identity & Access Management and Breach Response.

In addition to implementing IT-technical and legal improvements, it is important to involve all employees. That’s why a substantial part of NNIT’s delivery includes participation and training of the company’s employees in how their everyday lives will need to change in order to comply with GDPR.







Steve Peacock+45 30778428sepc@nnit.comGDPR Consulting Director Peacock



Scaling Data Science with NNIT Data Science with NNIT
PFA: “Data science is not an IT discipline; it is a business discipline”;-it-is-a-business-discipline.aspxPFA: “Data science is not an IT discipline; it is a business discipline”
Digital Work Place Work Place
Advisory & Methodology & Methodology
The small valuable ideas are the key small valuable ideas are the key
Region H pushes the boundaries with new technology H pushes the boundaries with new technology
We have outsourced significantly to be more agile have outsourced significantly to be more agile
Going agile has cut Arla’s digital go-live time in half’s-digital-go-live-time-in-half.aspxGoing agile has cut Arla’s digital go-live time in half
Agile organizations need time to succeed – and backing from senior management–-and-backing-from-senior-management.aspxAgile organizations need time to succeed – and backing from senior management