Skip Ribbon Commands
Skip to main content
< BACK

Implementation of the EU General Data Protection Regulation

​​​The EU General Data Protection Regulation (GDPR) steps into force on May 25, 2018. The regulation requires all public authorities and private businesses to deploy sufficient IT security for the protection of personal data processed in the organization. Specifically, it requires an assessment of the organization’s security level in relation to privacy. The purpose of the assessment is to identify specific related risks. On this basis, IT security controls shall be designed and implemented in the right places in the organization. 

NNIT Data Protection Framework

To assess the risks associated with processing personal information, it will be necessary to map all relevant business processes, data types, systems and external data providers. The actual assessment of the organization’s data protection level will be carried out only after these data flows have been identified.

NNIT utilizes a Privacy Impact Evaluation tool (PRIME), which maps the data flows, provides an overview of where the most sensitive information is located logically and physically and documents how well they are protected in processes and systems. The tool is tailored to the new requirements and digitalization’s new threats to privacy.

Phase 1: Planning of risk analysis

The PRIME tool is based on interviews with representatives of both the business and IT. The first phase will therefore focus on determining the project scope, as well as identifying and setting up meetings with the relevant employees in the organization.

Phase 2: Risk analysis

The PRIME-tool is based on the international security standards ISO 27005 and  ISO 29100, which includes Best Practice methodology for risk analysis in the field of information security and protection of private infor- mation. We assess the risk of loss of data  to unauthorized persons and the risk that data is changed wrongfully or lost as a  result of IT security breaches.

There is also a vulnerability assessment of the processes and systems where personal data is processed. What checks have already been implemented? Which are missing?

Based on the observations of the risk analysis and the established focus areas, a plan is drawn up of how the identified risks can be mitigated.

The plan may include the following control areas:

  • Processing authorization and proportionality
  • Policies and processes
  • Access control
  • Deletion
  • Encryption
  • Logging
  • Ownership
  • Data processors

Phase 3: Specific proposals for solutions

For every control area that may be found  to be lacking in the risk analysis, NNIT can submit specific implementable solution  proposals.

Phase 4-5: Implementation and maintenance

Thanks to NNIT’s experience as an IT-operating company, we work daily with consultancy and implementation of both technical and organizational IT-security solutions. NNIT also has a line of services to aid you in your journey to GDPR compliance, including Encryption, Logging, Data Access Governance, Identity & Access Management and Breach Response.

In addition to implementing IT-technical and legal improvements, it is important to involve all employees. That’s why a substantial part of NNIT’s delivery includes participation and training of the company’s employees in how their everyday lives will need to change in order to comply with GDPR.

 

 

 

 

 

 

Steve Peacock+45 30778428sepc@nnit.comGDPR Consulting Directorhttps://www.linkedin.com/in/steve-peacock-8102631/Steve Peacock

 

 

If agile is the answer to an unpredictable world, what is the answer when agile becomes unpredictable?https://www.nnit.com/OfferingsAndArticles/Pages/If-agile-is-the-answer-to-an-unpredictable-world,-what-is-the-answer-when-agile-becomes-unpredictable.aspxIf agile is the answer to an unpredictable world, what is the answer when agile becomes unpredictable?
Digital Transformation Insightshttps://www.nnit.com/advisory-services/Pages/Digital-Transformation-Insights-.aspxDigital Transformation Insights
Regulatory Compliance vs. Digital Innovation: A challenge or a perfect match?https://www.nnit.com/OfferingsAndArticles/Pages/Regulatory-Compliance-vs--Digital-Innovation-A-challenge-or-a-perfect-match.aspxRegulatory Compliance vs. Digital Innovation: A challenge or a perfect match?
From Dynamics AX to Dynamics 365 - a Digital Transformation enablerhttps://www.nnit.com/Pages/axtodynamics365.aspxFrom Dynamics AX to Dynamics 365 - a Digital Transformation enabler
Digital bridge builders: 6 examples of digital change that focus on business rather than technologyhttps://www.nnit.com/OfferingsAndArticles/Pages/NNIT-Digital-Together-has-helped-six-widely-different-organizations-to-tackle-the-rapid-advances-in-technological-developme.aspxDigital bridge builders: 6 examples of digital change that focus on business rather than technology
Digital transformation in life sciences: Regulations are not a barrierhttps://www.nnit.com/OfferingsAndArticles/Pages/Digital-transformation-in-Life-Science-Regulations-are-not-a-barrier.aspxDigital transformation in life sciences: Regulations are not a barrier
Risky Business?https://www.nnit.com/OfferingsAndArticles/Pages/Risky-Business.aspxRisky Business?
The Fine Art of Aligning Business Strategy and Information Security Strategyhttps://www.nnit.com/OfferingsAndArticles/Pages/The-Fine-Art-of-Aligning-Business-Strategy-and-Information-Security-Strategy.aspxThe Fine Art of Aligning Business Strategy and Information Security Strategy
​The C.I.A. of application security!https://www.nnit.com/OfferingsAndArticles/Pages/ApplicationSecurity.aspx​The C.I.A. of application security!
​​​Building a sustainable defence: How to secure your operational technology (OT) environment​https://www.nnit.com/OfferingsAndArticles/Pages/BuildingSustainableDefence.aspx​​​Building a sustainable defence: How to secure your operational technology (OT) environment​