AuditScripts Policy Update for GDPR

Hello, friends and subscribers. As you know, the European Union’s General Data Protection Regulation (GDPR) is almost here and it is has become an everyday topic of conversation in our data protection circles. If you are an information security person, I hope you have made friends with the privacy folks in your organization, and vice versus. Data protection, especially under terms of GDPR, will involve the security and privacy teams working together.

As most of you know, GDPR goes into effect on May 25, 2018 and it was created to better harmonize data protection laws around the member states. Key components of GDPR include data subjects’ right for rectification, right to fair and lawful processing of personal data, as well as the right to erasure. Basically, GDPR addresses two core principles: Data Protection and Privacy.

Here at Auditscripts.com, our team knows data protection and we have tremendous expertise in information security architecture. We believe in the importance of privacy programs. In this updated release of the policies, we have acknowledged that privacy management is a unique discipline. Our recommendation for organizations is to create a Privacy Program, starting with a Charter that defines the goals of the Privacy Program. We have included an updated privacy policy in our subscription to document how privacy efforts interact with information assurance, governance, and technical controls, but this is not a replacement for a comprehensive and well documented privacy program. If you are in need of privacy resources,

The International Association of Privacy Professionals (IAPP) provides guidance, articles, and an active community supporting other privacy professionals at https://iapp.org/.
Project Management Institute provides information on project management and program management at www.pmi.org .

Today, we release our updated policy library to address the principles and requirements of GDPR, and this blog will highlight the key principles surrounding the updates to the policies.
Guiding Principles in the Creation of This Update (2018 2.3)

 

We Baked Data Protection Principles into the policy library as a whole.

The term ‘Data Protection’ is used frequently in the GDPR Articles and Recitals, but this is nothing new to our policy library. We have created an Information Assurance Policy library for you that already addresses key data protection principles of confidentiality, integrity, privacy, and availability.

We give you the tools to establish a Governance, Risk, and Compliance Program that can support data protection practices under that a GRC umbrella.

We wrote policies for a Multi-Disciplinary Team Approach to Successful Data Protection. Some examples include:

Executive Support for Governance, Information Assurance, Risk Management, and Privacy efforts

Privacy experts reviewing privacy notices

Legal personnel vendor agreements

Risk expects conducting assessments

Information Security architects reviewing technical controls

We Updated policies names to include updated concepts.

Data Protection and Classification Policy has been refined to more closely tied together data classification efforts supporting data protection (formerly, Data Classification Policy)

Data Retention, Backup, Archive Policy includes updated policy statements to reflect handling of personal data

We Avoided Regional Favoritism

We chose open-ended language in the policies to maintain a balance between the requirements of the EU’s GDPR and other geographical region’s privacy and data protection regulations.

Open ended statements that cover all regulatory bodies without being specifically written for one geographical regulatory body. For example, for GDPR, we implied that your organization is the data controller without using that term specifically.

We used the term ‘personal data’ to be inclusive of multiple regulations that refer address data about individuals.

We acknowledged that GDPR Expertise will evolve and grow as the Regulation goes into effect.

As Data Protection Authorities (DPAs) begin to review factors surrounding data subjects’ complaints and data breach notifications, we will better understand how to apply administrative and technical controls to mitigate risk.

As of the writing of this blog post, there is uncertainty of the EU-U.S. Privacy Shield and there are lingering questions if United States companies should certify or not.

We updated all policies. These policies received the largest updates:

Charter Document for Information Assurance

Cloud and Third Party Services Policy

Data Backup, Retention, Archive Policy

Data Protection and Classification Policy

Incident Management Policy

Privacy Policy

Thank you for participating in our community and we will continue to provide guidance and suggestions on how to best use the resources on www.auditscripts.com .