One of our 7N specialists, Senior Project Manager and Certified Data Protection Officer Torben Elkjær has extensive GDPR experience from several compliance projects, recently within the healthcare sector.
Digitalization means that new areas are included daily in the treatment of sensitive data and that all citizens can be exposed to abuse of personal identifiable information. In Torben’s opinion it is highly urgent that the handling of personal data is taken seriously, since the data are of critical importance to the individual citizen. Therefore, the EU Data Protection Regulation must be regarded as an urgently needed initiative to strengthen, unify and protect the privacy of individual citizens within the EU.
So how can the regulation be implemented in practice? The actual ‘legislative text’, the regulation, doesn’t give a lot of instructions on how to ensure compliance with the regulations in practice, which according to Torben puts organizations in a situation that is difficult to approach. Therefore, one must try to translate the regulation into practical, hands-on business initiatives.
From Torben’s point of view one of the greatest challenges in relation to GDPR is that in a hectically work day it is ‘easy’ to ‘forget’ the regulation and to just continue working on the usual projects and tasks. Therefore, it is extremely important to create a GDPR compliance process with clear, logical initiatives and to establish a realistic ‘roadmap’.
One of Torben’s main competences is to create structure within loosely defined projects. It is with this strategic and structured way of working and thinking Torben has approached the GDPR compliance projects, he has been working on. Based on his experience, he has written an article that describes how GDPR, in his opinion, can be made operational by a so-called structured analysis.
Torben’s proposal for GDPR compliance: Structured analysis
To make the access to and usage of personal data as secure as possible, Torben proposes a structured and closely planned review of the relevant systems, where possible vulnerabilities are identified and mitigated. He distinguishes between two areas of action: Vulnerability analysis and Compliance analysis.
The Vulnerability analysis deals with analysis of the risk that data may be leaked and possibly misused. The purpose of a such analysis is to identify and remove ‘gaps’ before they become a data security issue. The analysis is a technical and organizational review of vulnerabilities within the individual system. The analysis, reviewing all systems individually, should be initiated by reviewing the data flow from birth to deletion at an overall level to identify the possible vulnerabilities. One way to do the analysis is by translating the requirements into simple questions with predefined response options and answer values. Torben advises that the analysis should be implemented for all systems that handle personal data and that all the systems must be reviewed individually to ensure a complete analysis. The analysis should end up with a number of proposals for measures that can mitigate the identified vulnerabilities in the systems.
While the Vulnerability analysis aims to prevent data abuse, the Compliance analysis investigates if there are any gaps in compliance with the requirements of the regulation. Thus, the questions and optional answers in this analysis are related to the individual articles in the GDPR regulation. The intent here is thus to evaluate compliance with the specific elements of the regulation.
Torben argues that once questions and predefined answer values are ready both the Vulnerability and the Compliance analyses can be performed relatively quickly. While the structured analysis can be a helpful tool towards GDPR compliance, Torben underlines the fact that the proposals presented in his article are mere suggestions, and therefore no guarantee for GDPR compliance. As Torben states:
“The individual organization may have special issues to take into account for just their organization, issues that should be involved and which cannot be formulated generically. It is therefore not possible to state precisely how many questions an analysis contains, but somewhere between 30 and 40 questions has proven realistic.”
How quickly the implementation of the preventive measures can be completed depends on the state of the systems and the content of the individual measures. Torben emphasizes, that there is no doubt that the period until May 25th will be busy.
In Torben’s opinion it is important to realize that it might not be possible to solve all the tasks related to GDPR at one time, depending on the amount of resources in the organization. Therefore, it is crucial for an organization to prioritize and to focus on the most urgent. To do so it is necessary to understand, which systems are the most important to secure and to have a knowledge of, what it takes to implement the different initiatives and to take the right precautions. Therefore, Torben advises that the same procedure is used continuously to analyze the various systems, making it possible to compare the results and thereby gain an insight into what to focus on.
The crucial importance of documentation
One of the things Torben highlights as having significant importance in relation to GDPR is documentation. Therefore, it is important that the before mentioned analysis and examination of each system is well-documented so it is possible to present and prove that the organization has the willingness to comply with the regulation. If the damage occurs and it is shown that there were no adequate precautions, Torben assumes, if it can be demonstrated that several reasonable measures have been implemented to ensure that personal data cannot be misused, it will speak to one’s advantage – both before and during a possible determination of the size of the fines given.
GDPR compliance involves the whole organization
It is not only the management level that should be concerned about GDPR compliance. To Torben it is important that an organization puts an effort into making sure that all its employees recognize the importance of protecting the citizens’ personal data. One of the ways to make the employees embrace the Data Protection Regulation is by showing examples of how e.g. identity theft can be a directly consequence from missing thoroughness, when handling personal data. By doing so the employees become aware of the necessity of them handling others’ personal data in the same way they wish another company would handle their own personal data – nobody wants to become a victim of identity theft:
“Everybody needs to know what it takes. Everybody needs to be familiar with Data Protection so that they can react in the right way and without doubt, when decisions have to be made”.
Therefore, Torben argues that every department in the company must be involved and that it requires a collective understanding to ensure GDPR compliance. In Torben’s opinion, it is highly motivating for employees to know their work takes a big part in reducing the risks of lacking data. It is by applying such a “bottom-up” approach that the necessary actions and behavior are embedded in an organization; the employees must feel that it is the only right thing to do.
To read Torben’s full article about structured analysis click here.
7N consultant Torben Elkjær is a Senior Project Manager and Certified Data Protection Officer with an extensive GDPR experience from several compliance projects, recently within the healthcare sector. If you are interested in hearing more about our GDPR specialists, please contact one of our Agents.