In my previous post about building a data inventory (link), I showed a basic 3-table schema which stores the names, locations, and other things about the personally-indentifiable information (PII) in a set of databases. This post shows how one might go about recording the actual PII that is in the databases. Continue reading “The Data Inventory, Part 3”
One way to become familiar with the legislation is to read it from beginning to end. Consisting of 88 pages of PDF and over 55,000 words, the GDPR is not a fast read. Nor, having read it, are you likely to hold it in your head. What if you could skip to the parts that are most interesting for you? This post suggests a simple approach to doing just that. Continue reading “What parts of the GDPR are most relevant to you?”
Although the trend is not apparent at the time of this writing, I expect to see a lot of listings for positions as DPOs (data protection officer) in the near future. If you’re being considered for such a position, I assume you are familiar with the GDPR. Suppose you have an interview and get an offer; what should you consider before accepting the job? Specifically, are you willing to risk financial liability for it? Continue reading “Who wants to be a DPO?”
Another week, another data incident. The GDPR is arriving none too soon. Let’s hope that it can slow the tide that is washing our personal data out into the internet data-ocean.
This time the victims are the citizens of Sweden, or at least those who have a vehicle registered, are in the police or military, or who are protected witnesses. In other words, a nightmare scenario, which clearly would be a violation of the GDPR (that is, when it comes into force some ten months from now). Continue reading “Sweden’s data breach: a cautionary tale”
Should versus shall
Sitting down to read through the GDPR is not a casual undertaking, but initial skim-throughs left me wondering about the word should, which one encounters often in the text of the legislation. It seemed odd to me that legislation should merely suggest behaviors and outcomes; I had assumed that legislation is a recital of what you must (or must not) do.
It might be useful to compare the frequency of words like ‘should’ and ‘shall’ (known to English grammar as modal or auxiliary verbs) in the GDPR in order to understand the intentions of its creators. What are they trying to convey with their use of these different modal verbs? Continue reading “Considering the GDPR as a whole”
In The Data Inventory, Part 1, we saw how a data inventory can be started with a single-table format in a spreadsheet. In this post we will use relational tables to modify and enhance this design to include additional information about our data to include a global view of all our databases, plus a global view of our data items. Continue reading “The Data Inventory, Part 2”
News stories reinforce the reality of privacy incidents. Today I plan to discuss a story from The Register, one of my favorite tech sites. The article is short and well worth reading. Don’t miss the comments, which raise interesting points.
BUPA, a UK health insurance company, suffered a leak of more than 100,000 customer records, including phone numbers and email addresses, due to the actions of an employee. Continue reading “BUPA suffers an incident”
Let’s get started on something concrete. One of the first things you’ll need to launch your privacy-compliance effort is an inventory of what data you are currently storing. This inventory will be at the core of your efforts, and will be the reference point for stakeholders. In this article I suggest a basic approach to get started using a single table. Future posts will add more tables to provide additional information, so that in the end we have a small schema for our inventory. Continue reading “The Data Inventory, Part 1”
Confronted with the enormity of an effective compliance effort, you are likely to be overwhelmed. For one thing, your resources are likely to be meager. For another, the typical objective at this point is merely informational (“look into it”, “impact assessment”, “cost estimate”). From management’s point of view, this is a reasonable request. From your point of view, it’s not; the information is not lying around, but must be must be collected from dozens or hundreds of applications, databases, filesystems, and more. Continue reading “What to do first”
This blog is dedicated to questions raised by the pending application of the GDPR (General Data Protection Regulation), which is coming into force on 25 May 2018.
- My experience, as a data modeler and analyst, is that very few data-processing shops have begun to compliance measures.
- Online materials focus on the headline aspects of the legislation, such as fines, audits, and liability, but few address day-to-day practical concerns.
What this blog aims to do is to leave the strictly legal questions to the lawyers and instead discuss the impact of the GDPR on business and IT, particularly in Belgium.
What follows are some GDPR challenges that have occurred to me thus far:
- getting started, given the vast number of tasks required
- it seems that IT operates with more limited resources than ever before; how can we accommodate privacy protection into this minimalist landscape
- visualizing the end-to-end development process
- organizing roles and responsibilities
- the relation between privacy and security measures
- managing the process/traceability paper-shuffle
- pondering open questions about non-EU providers, such as cloud applications and outsourcing companies
Viewing GDPR as a business risk
- risk assessment
- contingency planning
- revenue flows (e.g., marketing, selling data)
- Retro-fitting existing applications to make them compliant
- Organizing the development process to implement “Data protection by design and by default” (one of the chapters of the GDPR)
- How we might integrate Agile-type practices into protection-by-design
The Big Picture
- the global struggle between guarding privacy and the profitability of personal data
- globalization trends (cloud, outsourcing) and the conflict with privacy
- what level of protection is ‘good enough’?
Reading the text of the legislation
- what does it say on its face?
- where could we benefit from guidance from legal experts?
- assuming that national privacy auditors will use the legislation as a guide, how can it help us in our processes and contingency planning?
Ongoing developments – Given that privacy, data breaches, government action, court cases, and more can be expected in the run-up to GD-day, I will discuss events that appear significant to a broad audience.
Being new to blogging in general and WordPress in particular, I expect to have some teething problems. In particular, I will have to learn how to handle comments so as to keep discussions civil and on-topic. Please bear with me; I hope you will find this to be a useful resource.