The transition period for the renewed EU data protection is only about 15 months at the time of writing this blog. After that time, we’ll be moving into an era of really having to make sure we’ve got the appropriate information systems and processes in our company or face substantial sanctions; The fine, according to the General Data Projection Regulation Act, could be up to 4 % of the company’s global turnover. This would really be hurtful to any company and we’ll all want to avoid that kind of scenario. It is therefore the time for a development project. We’ll have enough time to prepare for all this, even if the deadline is approaching fast.
Are we really in a hurry here? The answer is yes. To comply with the act we’ll have to go through all of our information systems, and it could easily take months.
Where to start?
The biggest task in the development project is to analyze the current state of affairs and to go through the existing systems, bearing in mind the act requirements and the final goals. Initially, we’ll find out which systems have personal data registers and whether there are legal grounds for storing such registers there. It might also be reasonable to think about giving the personal data registers pseudonyms, which would allow us to store the data in an almost anonym form. In case of a breach, no sensitive info about a person would then be directly leaked.
It is important to note here that few companies in Finland operate solo anymore in the modern digital surroundings. The service providers help their clients especially when it comes to data security in development projects. Our role in this is to help customers in different areas, e.g. in the processes and in the technical management of information. It is truly difficult to go through a renewal without the help of partners. The partner has often a key role in e.g. recognizing the risks involved in the customer’s business and in implementing new services.
From project results to continuous management
As a result of the development project, we’ll be able to recognise and create new processes, methods and instructions. At the latest at implementing stage we’ll often notice that to comply with the new acts we’ll have to implement new services. These services might e.g. include the following:
- The tools and processes of information management
- Log management
- Identity and access management
- Security & architecture
- The vulnerability management and patch management
- Managing the personal data registers
It’s likely that there will be unwanted information in the company systems even after the new services have been implemented. Therefore it is important to continue the development step by step even after the implementation. This is the best way to manage risk continuously. It’s important to keep a journal on the development project’s course, different stages and made decisions and the events after that for we must be able to show our compliance to the Data Protection authority as stated in the General Data Protection Regulation Act. The need to keep a journal could involve the management of the total process or the managing of a single person’s data in the company.
It might seem like a large project to prepare for the General Data Protection Regulation Act, and at the end, 15 months is a short period of time. We shouldn’t end up a cautionary precedent but start work right now.
Tuukka works in Enfo's IT Services as a Senior Specialist focusing espacially on security services development.
The VAHTI Report of the Ministry of Finance on the total renewal of the EU data protection
A suggestion for the NIS Directive (The measures to ensure a unified high quality internet and data security in the whole