– By Anders Kingstedt, CEO, Mjukvarukraft
This will probably be the last post, for now, on the topic of GDPR from us. ”’Nuff said” is probably the sentiment of many people after having been flooded by posts related to GDPR for years now. However, following recent articles highlighting the poor awareness among small businesses I can’t refrain from providing an insight into our on situation and how we’ve tackled the task of becoming GDRP compliant. Here’s an insight into Mjukvarukraft’s GDPR compliance efforts.
In a previous post (http://www.mjukvarukraft.se/gdpr-stressad/) – Swedish only, sorry – we offered some advise on how to negiotiate the GDPR compliance efforts. We outlined the following high level step-by-step approach:
- Understand: in this step, the articles of GDPR (i.e. the actual core requirements) are mapped to the service / system / application at hand. The relevance of the article in question is registered and an initial assessment of the level of breach or compliance is provided. In this initial round of assessment, responsible roles and invididuals are linked to the various areas covered during the analysis.
- Survey: in the next step, processed PII information are compiled, described and classified. How the information is processed is also analyzed and described (i.e. operations such as view, update, add etc.), stating the roles and/or individuals with access to the information and each individual’s access rights. Prioritize.
- Fix: perform the measures deemed necessary in order to meet the GDPR requirements, based on the analysis made (in the ”Understand” and ”Survey” phases). Measures might include enforcing a stricter security and access policy, encryption of PII data, adding pseudonymization capabilities and more. Note: far from all measures need to be of a technical nature; simply getting a handle on where data is stored, who has access and setting up routines for any PII data breach (including of course reporting and Communication) are key.
- Verify: in the last step, we’ll revisit steps 1 and 2 to ensure that the fixes, whatever they end up being, have been properly done.
Now. These steps are of course very generic. Besides the explicitit references to GDPR and PII, it can be argued that the above steps can be applied to just about any IT project. Even though it can be argued that, yes, that’s true but that’s also part of the point, I’d like to offer some additional suggestions on how to handle GDPR.
- Password based authorization? Now might be a good time to take a look at standards based authentication and authorization mechanisms. It does make it so much easier to gain control over users’ access to sensitive data. (Then again, if you have unprotected data laying around in e-mail systems, chat rooms and Excel spread sheets, you might have more serious problems to handle…)
- Lost Control of where your data is? Period? Now’s a good time to start taking command of your data. It’s not a matter of obtaining GDPR compliance. It’s also a matter of regaining the confidence to operate on your organization’s data. Period.
- Keep it simple. GDPR compliance doesn’t have to be hard. A record of where the data is, who have access and perhaps a simple plan on how to eradicate data redundancy will help your organization a long way towards compliance.
Finally. We’re getting a really good grip on much of what goes into true GDPR compliance. For one of our clients, we’ve developed ”Anubis”. Anubis is an application that adds authentication, authorization and logging capabilities to applications and services. It is added to existing applications and also allows the user to investigate where PII and sensitive information is stored and to add the appropriate access control based on user roles and privileges. The screen shot depicts the administrative UI of Anubis. If you’re interested in learning more about Anubis, don’t hesitate to contact us.