First Post: the IT landscape under GDPR

This blog is dedicated to questions raised by the pending application of the GDPR (General Data Protection Regulation), which is coming into force on 25 May 2018.

  • My experience, as a data modeler and analyst, is that very few data-processing shops have begun to compliance measures.
  • Online materials focus on the headline aspects of the legislation, such as fines, audits, and liability, but few address day-to-day practical concerns.

What this blog aims to do is to leave the strictly legal questions to the lawyers and instead discuss the impact of the GDPR on business and IT, particularly in Belgium.

What follows are some GDPR challenges that have occurred to me thus far:

  • getting started, given the vast number of tasks required
  • it seems that IT operates with more limited resources than ever before; how can we accommodate privacy protection into this minimalist landscape
  • visualizing the end-to-end development process
  • organizing roles and responsibilities
  • the relation between privacy and security measures
  • managing the process/traceability paper-shuffle
  • pondering open questions about non-EU providers, such as cloud applications and outsourcing companies

Viewing GDPR as a business risk

  • risk assessment
  • contingency planning
  • mitigation
  • revenue flows (e.g., marketing, selling data)

Application development

  • Retro-fitting existing applications to make them compliant
  • Organizing the development process to implement “Data protection by design and by default” (one of the chapters of the GDPR)
  • How we might integrate Agile-type practices into protection-by-design

The Big Picture

  • the global struggle between guarding privacy and the profitability of personal data
  • globalization trends (cloud, outsourcing) and the conflict with privacy
  • what level of protection is ‘good enough’?

Reading the text of the legislation

  • what does it say on its face?
  • where could we benefit from guidance from legal experts?
  • assuming that national privacy auditors will use the legislation as a guide, how can it help us in our processes and contingency planning?

Ongoing developments – Given that privacy, data breaches, government action, court cases, and more can be expected in the run-up to GD-day, I will discuss events that appear significant to a broad audience.

Being new to blogging in general and WordPress in particular, I expect to have some teething problems. In particular, I will have to learn how to handle comments so as to keep discussions civil and on-topic. Please bear with me; I hope you will find this to be a useful resource.