Hello, friends and subscribers. As you know, the European Union’s General Data Protection Regulation (GDPR) is almost here and it is has become an everyday topic of conversation in our data protection circles. If you are an information security person, I hope you have made friends with the privacy folks in your organization, and vice versus. Data protection, especially under terms of GDPR, will involve the security and privacy teams working together.
As most of you know, GDPR goes into effect on May 25, 2018 and it was created to better harmonize data protection laws around the member states. Key components of GDPR include data subjects’ right for rectification, right to fair and lawful processing of personal data, as well as the right to erasure. Basically, GDPR addresses two core principles: Data Protection and Privacy.
The International Association of Privacy Professionals (IAPP) provides guidance, articles, and an active community supporting other privacy professionals at https://iapp.org/.
Project Management Institute provides information on project management and program management at www.pmi.org .
Today, we release our updated policy library to address the principles and requirements of GDPR, and this blog will highlight the key principles surrounding the updates to the policies.
Guiding Principles in the Creation of This Update (2018 2.3)
We Baked Data Protection Principles into the policy library as a whole.
The term ‘Data Protection’ is used frequently in the GDPR Articles and Recitals, but this is nothing new to our policy library. We have created an Information Assurance Policy library for you that already addresses key data protection principles of confidentiality, integrity, privacy, and availability.
We give you the tools to establish a Governance, Risk, and Compliance Program that can support data protection practices under that a GRC umbrella.
We wrote policies for a Multi-Disciplinary Team Approach to Successful Data Protection. Some examples include:
Executive Support for Governance, Information Assurance, Risk Management, and Privacy efforts
Privacy experts reviewing privacy notices
Legal personnel vendor agreements
Risk expects conducting assessments
Information Security architects reviewing technical controls
We Updated policies names to include updated concepts.
Data Protection and Classification Policy has been refined to more closely tied together data classification efforts supporting data protection (formerly, Data Classification Policy)
Data Retention, Backup, Archive Policy includes updated policy statements to reflect handling of personal data
We Avoided Regional Favoritism
We chose open-ended language in the policies to maintain a balance between the requirements of the EU’s GDPR and other geographical region’s privacy and data protection regulations.
Open ended statements that cover all regulatory bodies without being specifically written for one geographical regulatory body. For example, for GDPR, we implied that your organization is the data controller without using that term specifically.
We used the term ‘personal data’ to be inclusive of multiple regulations that refer address data about individuals.
We acknowledged that GDPR Expertise will evolve and grow as the Regulation goes into effect.
As Data Protection Authorities (DPAs) begin to review factors surrounding data subjects’ complaints and data breach notifications, we will better understand how to apply administrative and technical controls to mitigate risk.
As of the writing of this blog post, there is uncertainty of the EU-U.S. Privacy Shield and there are lingering questions if United States companies should certify or not.
We updated all policies. These policies received the largest updates:
Charter Document for Information Assurance
Cloud and Third Party Services Policy
Data Backup, Retention, Archive Policy
Data Protection and Classification Policy
Incident Management Policy
Thank you for participating in our community and we will continue to provide guidance and suggestions on how to best use the resources on www.auditscripts.com .