GDPR: from paper tiger to automation
The GDPR is a EU law born in 2018. It’s the toughest privacy and security law in the world that forces companies and organizations to think carefully about the use of personal data. Companies need to train their staff and implement technical and organizational security measures to protect personal data.
The implementation of this law is not easy. Companies have no idea how to be compliant and what a data breach is – as evidenced by the large number of complaints. Research shows that more than half of the organizations do not comply with the GDPR rules and think they “may never be able to comply”. One important aspect is accountability: strict requirements are set for data protection, the prevention of data leaks and the formulation of an ICT security policy.
GDPR fines are designed to make non-compliance a costly mistake for both large and small businesses. The more serious infringements could result in a fine of up to €20 million, or 4% of the firm’s worldwide annual revenue.https://gdpr.eu/fines/
Recently, the Dutch OLVG hospital was fined for insufficient security of its medical records. The Dutch Data Protection Authority (AP) imposed a fine of 440,000 euros on the Amsterdam hospital. The hospital had taken too few measures between 2018 and 2020 to prevent access by unauthorized employees to medical records.
The GDPR asks for the burden of proof, especially in the event of a possible data breach. It is important that you have done everything within your own organization to prevent a data breach. Skopos automatically keeps track of the burden of proof for you so that you are always up-to-date. We see that the key to a correct policy lies in three areas: prevention, monitoring + detection & burden of proof.
Good data hygiene starts with an action plan. Most European countries have a step-by-step action plan and provide clear guidelines on how to act in event of a data breach. They indicate that security is a continuous process (plan, do, check, act), in which you must continue to monitor whether the security measures taken are still adequate and especially focus on the role the employee plays in this process.
- Have awareness of the information security risks of his or her role?
- Show the correct behavior regarding working with information?
- Use the right applications for the work?
- Work from a secure laptop and smartphone?
Monitor & detect: from a legal problem to a technological problem
The most important step is the analysis of the situation. Where are we now, which data is processed where, how and why? Technical and organizational measures are elaborated in the register of processing activities. In the event of a data breach, new questions arise: what happened and how big is the damage? Overview is extremely important. The GDPR asks for the burden of proof, especially in the event of a possible data breach. It is always important that you have done everything within your own organization to prevent a data breach.
The most effective way to measure behavior is through questions and testing. How does the employee score on information security risks? Does the employee understand role specific risks (eg use of BSN). You can record the outcome and use it to set up targeted training. This increases employee awareness so behavioral change takes place in the workplace. Skopos implements this component by regularly issuing a questionnaire and conducting phishing tests.
In addition to people, there is technology. As an organization, you want to know at any time: does the employee work from a secure laptop and smartphone? Is the employee using the right tools? Isn’t there any unwanted software such as BitTorrent or browser bars installed?
Burden of proof: demonstrably aimed at prevention
The GDPR requires a burden of proof when a person submits a request, especially in the case of a possible data breach. With every data breach, it is important that everything is done within the organization, within the possibilities, to prevent a data breach. With Skopos you give the burden of proof via digital files that your employees:
- Use the right applications
- Do not have unauthorized applications in their workplace
- Apply encryption to data communication
Furthermore, it is visible at a glance that you:
- Actively measure the policy of knowledge and create awareness
- Actively identify and resolve vulnerabilities
- Vulnerabilities management is measurably in order
- Actively look for credentials that can be misused
The GDPR and ISO27701 rely largely on the ISO27002 in terms of technical and organizational measures. In addition to the well-known checks (audits) of the ISO27001, the GDPR asks for design, existence and operation, also for “effectiveness”. With Skopos you scan for the effectiveness of the measures taken in relation to the GDPR. This provides peace and security within the organization.
You can avoid significant fines from a National Data Protection Authority. You do this by being able to demonstrate that you as an organization have made every effort to prevent a data breach!
The solution of the GDPR sample can thus be installed with one click of your mouse. Technology can help a Data Protection Officer (DPO) to map these steps, fully automatically and continuously updated. This makes it easy to download all the required data from the platform and thus fulfill the obligations. This reduces the risk of fines and makes manual work superfluous. Obtaining certificates or accounting for personal data in an annual report can also be processed in the platform.
But companies have to be careful. Not every solution-oriented approach is necessarily future-oriented. You may be compliant at the moment, but will you remain so? Legislation in different countries is changing, and problems that do not yet exist may play a role in the future. Technology that keeps your organization GDPR-proof 24×7 prepares your organization for these changes.
On the Skopos platform, all tools, applications, networks and systems are continuously scanned so that vulnerable software, workstations and servers are immediately visible. Data leak detection prevents problems before they happen. The Skopos platform gives you the burden of proof that you have created awareness among your employees. The Skopos platform also shows that vulnerabilities are resolved and that you actively search for credentials that can be misused. With Skopos you scan for the effectiveness of the measures taken for the GDPR. This gives peace and security within the organization and gives you control over the GDPR policy.