The EU General Data Protection Regulation (GDPR) steps into force on May 25, 2018. The regulation requires all public authorities and private businesses to deploy sufficient IT security for the protection of personal data processed in the organization. Specifically, it requires an assessment of the organization’s security level in relation to privacy. The purpose of the assessment is to identify specific related risks. On this basis, IT security controls shall be designed and implemented in the right places in the organization.
To assess the risks associated with processing personal information, it will be necessary to map all relevant business processes, data types, systems and external data providers. The actual assessment of the organization’s data protection level will be carried out only after these data flows have been identified.
NNIT utilizes a Privacy Impact Evaluation tool (PRIME), which maps the data flows, provides an overview of where the most sensitive information is located logically and physically and documents how well they are protected in processes and systems. The tool is tailored to the new requirements and digitalization’s new threats to privacy.
The PRIME tool is based on interviews with representatives of both the business and IT. The first phase will therefore focus on determining the project scope, as well as identifying and setting up meetings with the relevant employees in the organization.
The PRIME-tool is based on the international security standards ISO 27005 and ISO 29100, which includes Best Practice methodology for risk analysis in the field of information security and protection of private infor- mation. We assess the risk of loss of data to unauthorized persons and the risk that data is changed wrongfully or lost as a result of IT security breaches.
There is also a vulnerability assessment of the processes and systems where personal data is processed. What checks have already been implemented? Which are missing?
Based on the observations of the risk analysis and the established focus areas, a plan is drawn up of how the identified risks can be mitigated.
The plan may include the following control areas:
For every control area that may be found to be lacking in the risk analysis, NNIT can submit specific implementable solution proposals.
Thanks to NNIT’s experience as an IT-operating company, we work daily with consultancy and implementation of both technical and organizational IT-security solutions. NNIT also has a line of services to aid you in your journey to GDPR compliance, including Encryption, Logging, Data Access Governance, Identity & Access Management and Breach Response.
In addition to implementing IT-technical and legal improvements, it is important to involve all employees. That’s why a substantial part of NNIT’s delivery includes participation and training of the company’s employees in how their everyday lives will need to change in order to comply with GDPR.