The aim of the GDPR is to protect all EU citizens from privacy and data breaches in an increasingly data-driven world that is vastly different from the time in which the 1995 directive was established. Although the key principles of data privacy still hold true to the previous directive, many changes have been proposed to the regulatory policies.
For our department we manage around 15 – 20 organisational information systems, a few of which are classified on confidential as critical. We already had a good organisation set op to comply with the previous legislation. In addition to the GDPR which will be affective from May 25, 2018, we are working on a number of improvements and implementing new solutions. Overall there are a number of task via which I contribute to our organization to comply to the GDPR. Here’s an overview:
- Authorization and authentication:
- I ensure that our authorization policy, for all systems is in order. Every year the policy is updated where necessary.
- Through standard authorization matrices, we issue rights to system functions based on the business function of the system users.
- Twice a year, for one of the systems, I check with the supervisors of the colleagues whether the system rights issued, still match the company functions of the employees.
- Coordination authorization application process, where possible digitization of this process (per system).
- Within the organization, we conduct an investigation into which systems, functionalities, end users and situations require two-factor authentication. When this analysis is finished, I coordinate the implementation of the measures for the systems under our management.
- Coordination of the preparation of system classifications of systems under our management and of the implementation of the proposed measures.
- Coordination of the information (security) audits of the systems under our management.
- Coordination of the development, approval and documentation of system links to and from the systems under our management.
- Coordination of the information data register for our domain. This specifies which information is processed in the process, which are the (legal) storage periods and the source systems.
- Do not use production data in test environments. Within the organization, we conduct an investigation into the best possibilities. The challenge here lies in the execution of chain tests with multiple systems, from multiple departments (internal) and even external parties. The solution will differ per system. Possibilities are: anonymization, pseudonymisation, data simulation. As extra security, we propose to organize the authorization of test environments the same as for the production environment.
- Research into the possibilities to clean up the various data streams when the retention periods expire. The challenge here lies in the execution of chain tests with multiple systems, from multiple departments (internal) and even external parties.
- I provide an overview of: contact persons in case of calamities, status and location contingency plans and calamity test plans. In addition, I coordinate the preparation and management of the calamity test plans and I coordinate with our director about business continuity in the event of a calamity, as a result of which our systems are threatened to be offline for a long time.
To be up to date off all the latest changes I follow the course ‘Privacy’ at KienhuisHoving.
I think we are on the right way to be in control of our data protection, but ass always, work in progress, there are always improvements to make. I’m up for the challenge 🙂
Liking my job 🙂
N.
