GDPR compliance is a continuous process, not a final state.
SMEs have no idea where to start with the GDPR!
With the arrival of the General Data Protection Regulation (GDPR) the potential cost of data protection violations and breaches has skyrocketed. Yet even after 2 years of preparation time there is a clear sense of panic amongst the SMEs. If you are representing an SME and you have no idea where to start you are not alone. At the same time we all are bombarded on a daily basis by offerings for GDPR consultancy and GDPR products. To make things worse, most of the EU member states already had a similar legislation in place with one major difference - no fines. Relax, you are not alone. Moreover, it is quite unlikely you will get a fine without a warning (at least in Belgium according to Philippe De Backer).
GDPR is risk-based!"Risk" is one of the most frequent words in the GDPR legislation text. So before jumping into concrete solutions one should start by considering the following questions.
- What is the risk (and the impact) to the data subjects' and their rights?
- Does your organization systematically map out security and privacy threats and risks?
- Have you taken every reasonable step to protect your customers data?
"...necessary technical and organizational measures" is a real challenge!
On the other hand the principles such as "privacy by design", "privacy by default", "necessary technical and organizational measures" are the ones where we should focus our long-term attention.
Privacy and security risk management!
Everything starts with knowing. Today's best practices in the fields of technical security and privacy engineering are known to be the LINDDUN and STRIDE threat modeling frameworks. By leveraging a light-weight combined version of these methodologies we provide a systematic architectural security and privacy assessment. As a result precise and efficient countermeasures can be implemented. The outcome of the analysis itself is considered to tackle the accountability principle.
Privacy and security by design.
At Codific we leverage a top-down architectural approach to software systems design. Hence, by definition we focus on security and privacy by design, where architectural improvements can provide a systematic solution as opposed to fighting the symptoms. Our team excels in abstract architectural thinking.
GDPR compliance is a moving target with convergence at best.
The road to GDPR compliance is a continuous process. It is a moving target with at best convergence to the ideal. While there are a plethora of low hanging fruits especially in the first part of the road, creating the long-term compliance vision is essential.