Given the apparent proliferation of data breaches (or at least their coming to light), I doubt that I can keep up, and so in future will comment only on those cases that illustrate some aspect of the GDPR.
That aspect today is the rampant push to get sensitive PII into the hands of cloud vendors and external (outsourced) developers and testers. I just came across some recent cases: Continue reading “Cloud apps and outsourcing bring new breaches”
This blog is dedicated to questions raised by the pending application of the GDPR (General Data Protection Regulation), which is coming into force on 25 May 2018.
- My experience, as a data modeler and analyst, is that very few data-processing shops have begun to compliance measures.
- Online materials focus on the headline aspects of the legislation, such as fines, audits, and liability, but few address day-to-day practical concerns.
What this blog aims to do is to leave the strictly legal questions to the lawyers and instead discuss the impact of the GDPR on business and IT, particularly in Belgium.
What follows are some GDPR challenges that have occurred to me thus far:
- getting started, given the vast number of tasks required
- it seems that IT operates with more limited resources than ever before; how can we accommodate privacy protection into this minimalist landscape
- visualizing the end-to-end development process
- organizing roles and responsibilities
- the relation between privacy and security measures
- managing the process/traceability paper-shuffle
- pondering open questions about non-EU providers, such as cloud applications and outsourcing companies
Viewing GDPR as a business risk
- risk assessment
- contingency planning
- revenue flows (e.g., marketing, selling data)
- Retro-fitting existing applications to make them compliant
- Organizing the development process to implement “Data protection by design and by default” (one of the chapters of the GDPR)
- How we might integrate Agile-type practices into protection-by-design
The Big Picture
- the global struggle between guarding privacy and the profitability of personal data
- globalization trends (cloud, outsourcing) and the conflict with privacy
- what level of protection is ‘good enough’?
Reading the text of the legislation
- what does it say on its face?
- where could we benefit from guidance from legal experts?
- assuming that national privacy auditors will use the legislation as a guide, how can it help us in our processes and contingency planning?
Ongoing developments – Given that privacy, data breaches, government action, court cases, and more can be expected in the run-up to GD-day, I will discuss events that appear significant to a broad audience.
Being new to blogging in general and WordPress in particular, I expect to have some teething problems. In particular, I will have to learn how to handle comments so as to keep discussions civil and on-topic. Please bear with me; I hope you will find this to be a useful resource.