GDPR: My Final Conclusions

Within my first three articles covering the matters of GDPR, I forayed into Infra Business and Software Business, providing a full scope of GDPR and what it promises after its unveil in May. I have received much feedback in different form for these articles, most of it relating to how you, personally, as a consumer, find the liability of registry keepers irritating. From the feedback, I gather that not many are prepared to think about how they can be compliant with their own business, often considered someone else’s job.

In my opinion, it’s a matter that concerns us all.

GDPR in Consultancy Business

As someone who works as an ICT consultant, it’s easy for me to order people around. You can easily scare the other side of the table, making them feel there is nothing that can be done for a specific situation. Through scare tactics, we can send everyone home. As I touched on in my first article, many users already feel this way.

I’m here to say as a good consultant, you should help the customer reach total GDPR compliance. Through small steps, it is completely doable. As a consultant, you owe it to your clients to start preparing them.

When you have time, glance over the screenshots attached at the end of this article. It is unfortunate that the tool is nothing unless you know how to use it. This is why we are here to help you. This is why we help you gather the material along the way.

Once you have the materials, the tools, and the confidence, you’ll be able to navigate the GDPR waters on your own. Don’t worry, if you feel overwhelmed, we are here to provide support.

GDPR’s Commercial Side

Prog-It has made a 4-days consultancy packet for small to medium-sized clients. The 4-day program is divided as follows:

  • Day 1: Introduction and Business Model Documentation. Create a Privacy Map.
  • Day 2: Infra Side – Inventory of software, systems and hardware. Outcome, inventory document.
  • Day 3: Software Side – Databases and users. Integration map of systems. Outcome, inventory document.
  • Day 4: Conclusions, Report and Proposals for improvements. Continues development model to follow in Privacy Map. Action point divide to technical people and company internal usage. Possibly a 2-3-hour information event for personnel of findings and PowerPoint presentation.

The price of this is 1000 Euro per (exl vat) day, affordable for any sized business.

How Do I Proceed?

Start with the reference questions. Take the following into consideration before addressing the Tietosuojamalli:

What is Tietosuojamalli? Other language: Sekretesskarta in Sweden and Privacy Map in English.

If you’re starting from an empty table and you have nothing, begin with Data Sources or Databases.

Then move to ”Systems.” This means ”smart systems” that are ”designed” and contain “Data,” not just excel. It is considered as a tool, and tools needs no attention here.

Then move to Hidden Information. Hidden Info’s target is to minimize just that… See the summary. Definition of Hidden Data = does the management know where and what?

External Sources is usually something the registry keeper is not collecting, but instead using. Management is elsewhere.

Then there’s an element called “Bin” where you have the “System.” Please note that the terms must be the same in every system and every authority.

What Do BINs Do?

BINs link to each other, acting as a connection to a data source or database. The term logical level BIN refers to technical level BINs, but rely on different elements.

Now that you have entered your BIN, the GDPR practice states that the policy must be defined from the get-go. For example: technical policy requires access control. The BINs, therefore, create a logical link to one another.

It’s worth approaching this in the beginning from a visual level. The EDPS or Data Privacy Authority recommends that you draw a picture of the specific relations of your systems, providing you with an in-depth understanding.

GDPR Right To Be Forgotten

This GDPR feature must be actively added for the Privacy Map. You’re probably wondering how to do this. For example: approval of data register keeper to handle the data, what do I do? What happens if I cancel this acceptance? It’s very difficult to automate the system.

My Proposal: Make a portal for both the registry keeper to handle the data.

Another Proposal: Make a library template where you can important systems according to the vendor and manufacturer’s consideration. If company X delivers software Y, they can create a template for XY that clients can use in the Privacy Map.

When that’s all said and done, you are ready to order! Do you want to learn more? Comment below and I will gladly call you.

Check out the screenshots below. I want to personally thank everyone who has been along for the GDPR ride, bearing with all of my articles. To all the GDPR knights out there, know that you’re ahead of the curve. This is critically important information that needs to be shared and digested ahead of the GDPR release. Consider joining a class of masters by participating in one of our classes in the future. Who doesn’t want to be a GDPR master?

Thanks for reading. Stay tuned for more updates and details.