Data inventory tool (available now)
Template (Excel) Register of Processing Activity
Data inventory first, compliance next! The road towards the GDPR starts with an inventory of the personal data you process. Indeed, data inventorying is an essential step in your preparation: your organisation needs an inventory of all the types of information it processes, how that data will be protected, where the sensitive data sits. This tool helps you getting started building your register, as required by Article 30 of the GDPR.
'GDPR (General Data Protection Regulation) is buzzing through every company…': we said it in our invitation to this N-sight, and with over 130 people in the room on 24 January 2017, we proved our point! You can see the presentations from the event here (after login, Beltug members only), as well as the Excel template created by Cranium to help you keep track of the processing activities required by the GDPR.
We started off hearing from Bavo Van den Heuvel of Cranium Applied Privacy, who explained that the road to compliance begins with an inventory of the personal data your organisation processes. Be prepared, he stressed, and don't underestimate the process of that inventory.
When going over the GDPR, don't fall into the trap of 'reading what you want to read'! Even if you are a company with fewer than 250 employees, you are not exempt from creating a register, especially in these cases:
This inventory must be created per processing activity, not per company. So, HR is one processing activity, finance is another, etc. (See slide 5 for what is needed on record in an inventory.)
Specially for Beltug members, Cranium has built a tool to help you create your inventory (the 'Template (Excel) Register of Processing Activity' above). Make sure to complete it per type of data processed. (See slides 7-14 of Bavo's presentation for details on using the template.)
Even with tools and checklists, though, respecting the various retention periods for specific data will remain an important challenge for IT departments (see slide 13), Bavo concluded.
Next up was Danny Vande Putte, Operational Risk and Business Continuity Manager at National Bank of Belgium, who took us into the world of cybercrime. Cyber criminals are often already inside your network, without anyone knowing. Yet this situation doesn’t seem to bother or trouble anyone. Should we consider this situation a crisis, or does it only become a crisis when an actual data theft or hack occurs? Is the problem really that serious? How much consideration do we have to give to cyber criminality?
After that reflection, Danny shared his concerns regarding the GDPR, and especially the sometimes vague definitions it uses: e.g. what is an 'adequate level of protection'? It’s difficult to judge…
The fact remains, he highlights, that companies are targets, and for all kinds of purposes.
So, what are the characteristics of a cyber-attack?
While many aspects are similar to the crisis management we knew before cyber threats and GDPR (see slide 14), there are crisis management issues that very specific (see slide 15), such as crisis communication. For example, don't try to explain that you're not responsible: that is like a red flag to a bull for hackers! Another important aspect is traceability, which is key in building your legal defence.
Finally, don't stick with your traditional business continuity plans, Danny Vande Putte concluded, as they will most probably be compromised. Build new and innovative ones. In any case, a close and intense collaboration between the business and IT is more critical than ever. Both must be aware of each other's limitations and possibilities.
While GDPR is quite complex, it sometimes has the 'sweet smell of compromise' - maybe even on purpose, began Peter Van Dyck, Senior Associate at Allen & Overy, our next expert. He gave us a timeline for the regulation, with efforts from the regulators (the Belgian Privacy Commission, the Working Party 29, etc.) to make things more clear and obvious (see slide 3).
Take a look at what's new after these clarifications:
So, what to do between now and May 2018? Map your data, start your gap analysis, turn to the Commission's recommendations and begin implementing.
To close the session, Danielle Jacobs of Beltug called our members to action: don't reinvent the wheel! Come to us with your questions and take full advantage of the tools and documents we make available for your roadmap to GDPR compliance. You can get a complete overview on the Beltug initiatives and consultations with regulators and government in her slides.
Furthermore, over the coming months, you can expect regular updates from us on this topic!
This new N-sight format offers members a chance to learn from experts and peers about specific issues, with insights into trends, new technologies, how to prepare for them, and more.
Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).
Beltug gathers a lot of information. Here you find the advantages of Beltug membership
The Beltug Team
Click here to login