What is GDPR?
I find that it always makes sense to start with explaining what the acronym means. GDPR stands for General ‘Data Protection Regulations’.
The GDPR is all about personal data. It contains principles, rights, timescales for undertaking activity as well as continuous Enterprise activities to comply and evidence compliance.
Being GDPR compliant does not mean ‘breach free’. That is unrealistic as organisations are only as strong as their weakest person on a bad day and their most vulnerable piece of IT infrastructure (zero-day vulnerabilities mean that unknowable weaknesses are likely). As both of these are malleable and largely uncontrollable, it is important to be pragmatic.
To condense and paraphrase Article 32, “Taking into account everything the organisation does with personal data it shall take appropriate measures”. GDPR compliance is relative to your organisation.
Routes to compliance
The Information Commissioner’s Office is offering a route to certify compliance. This is not fully operable yet, but worth following this for when certification is an option.
Data Protection Officer:
A Data Protection Officer (DPO) should ensure that your organisation has the appropriate level of operational and strategic measures in place. The DPO then needs to audit themselves or commission audits to ensure that these measures are being adhered to by the company.
Chief Information Security Officer:
A Chief Information Security Officer (CISO) will oversee the organisation’s technical and security and security incidence responses.
Audit and Risk Committee:
Generally, a sub-committee to an organisations board, the Audit and Risk committee is responsible for ensuring that the organisation is addressing risks and conducting audits.
You will need to determine the appropriate blend for your organisation; ParaDPO can help.