Skip Ribbon Commands
Skip to main content

Implementation of the EU General Data Protection Regulation

​​​The EU General Data Protection Regulation (GDPR) steps into force on May 25, 2018. The regulation requires all public authorities and private businesses to deploy sufficient IT security for the protection of personal data processed in the organization. Specifically, it requires an assessment of the organization’s security level in relation to privacy. The purpose of the assessment is to identify specific related risks. On this basis, IT security controls shall be designed and implemented in the right places in the organization. 

NNIT Data Protection Framework

To assess the risks associated with processing personal information, it will be necessary to map all relevant business processes, data types, systems and external data providers. The actual assessment of the organization’s data protection level will be carried out only after these data flows have been identified.

NNIT utilizes a Privacy Impact Evaluation tool (PRIME), which maps the data flows, provides an overview of where the most sensitive information is located logically and physically and documents how well they are protected in processes and systems. The tool is tailored to the new requirements and digitalization’s new threats to privacy.

Phase 1: Planning of risk analysis

The PRIME tool is based on interviews with representatives of both the business and IT. The first phase will therefore focus on determining the project scope, as well as identifying and setting up meetings with the relevant employees in the organization.

Phase 2: Risk analysis

The PRIME-tool is based on the international security standards ISO 27005 and  ISO 29100, which includes Best Practice methodology for risk analysis in the field of information security and protection of private infor- mation. We assess the risk of loss of data  to unauthorized persons and the risk that data is changed wrongfully or lost as a  result of IT security breaches.

There is also a vulnerability assessment of the processes and systems where personal data is processed. What checks have already been implemented? Which are missing?

Based on the observations of the risk analysis and the established focus areas, a plan is drawn up of how the identified risks can be mitigated.

The plan may include the following control areas:

  • Processing authorization and proportionality
  • Policies and processes
  • Access control
  • Deletion
  • Encryption
  • Logging
  • Ownership
  • Data processors

Phase 3: Specific proposals for solutions

For every control area that may be found  to be lacking in the risk analysis, NNIT can submit specific implementable solution  proposals.

Phase 4-5: Implementation and maintenance

Thanks to NNIT’s experience as an IT-operating company, we work daily with consultancy and implementation of both technical and organizational IT-security solutions. NNIT also has a line of services to aid you in your journey to GDPR compliance, including Encryption, Logging, Data Access Governance, Identity & Access Management and Breach Response.

In addition to implementing IT-technical and legal improvements, it is important to involve all employees. That’s why a substantial part of NNIT’s delivery includes participation and training of the company’s employees in how their everyday lives will need to change in order to comply with GDPR.







Steve Peacock+45 30778428sepc@nnit.comGDPR Consulting Director Peacock



Digital transformation: Stories from the field transformation: Stories from the field
Bring your digital transformation up to speed - or risk falling behind your digital transformation up to speed - or risk falling behind
NNIT Expectation Barometer 2019 - Digital at Scale Expectation Barometer 2019 - Digital at Scale
Application Security Security
Cyber Defense Center Defense Center
Identity & Access Management & Access Management
Scaling Data Science with NNIT Data Science with NNIT
We have outsourced significantly to be more agile have outsourced significantly to be more agile
The Fine Art of Aligning Business Strategy and Information Security Strategy Fine Art of Aligning Business Strategy and Information Security Strategy