Member-only story
Things we’ve forgotten about the GDPR
Just a couple of things we’ve forgotten about the GDPR
Just a short note on things worth remebering but usually not.
1. The DPO needs industry-leading knowledge on both the law and cybersecurity; which is easier to learn and keep up to date with?
2. The DPO is the regulator’s person inside the organisation. It remains management’s job to ensure compliance with the member state GDPR implementations. (Although I am less sure this remains so in the UK post Brexit?)
3. When implementing new software, companies need to perform a privacy impact analysis and if the system is deemed to be high risk, permission must be sought from the Information Commissioner.
4. The GDPR envisaged third party standards for good practise in cybersecurity would be established, but even the Commission seem to have forgotten about this. The cloud providers have agreed a standard and both ISO 27001 & COBIT are available and offer certification of compliance. (There is an additional industry agreed standard for credit card processing PCI-DSS.)
Originally published at https://www.linkedin.com.