The reasons for hysteria around GDPR
GDPR is the European Union’s response to corporate overreach and violation of individual privacy. Exponea recognizes the ramifications that may arise for online clients and is taking significant steps to assist them in compliance preparation.
E-commerce now has an obligation to clearly state what customer data is needed and for what, with whom it will be shared, in which countries, and for how long it will be held. A lot is at stake in this new environment, with penalties possible in the millions of Euros.
Lenka Gondova, Exponea’s Data Protection Officer (DPO) for GDPR compliance explains why the majority of companies still feel unprepared for the legislation and why the feelings of panic escalate with 25th May approaching.
The uncertainty around GDPR stems from two main factors:
Many requirements are relative to the particular situation of data processing. This means there are too many words such as ”appropriate” or “possible” (e.g. “appropriate security measures”). The local EU member states are expected to formulate more precise wording for data protection in their local laws, for the DPO, or when to execute Data Protection Impact Assessment (DPIA).
Temporary time delay in legislation across the EU
It is expected that the European Data Protection Board will be reviewing the proposed local laws in order to keep the original spirit of GDPR. However, the ‘Board’ will be established on the exact same date when GDPR comes to application – on 25 May 2018.
This will definitely create a time delay.
Imagine 27 legislations sending their legal proposals to the Board on the very same date when GDPR becomes effective, to keep GDPR consistent across the EU.
This is happening at the time when we already have to be compliant. The Office for Data Protection doesn’t expect the local decrees to be ratified before the end of 2018.
But don’t panic
As a data-driven company, Exponea adopted an elaborate methodology for risk management to address the situation. We are present on most of the EU markets, so we need to keep an eye on all data protection laws differing just in tiny details.
We strengthened our information security management system. Long ago, Exponea decided to go beyond what was compulsory.
Following the company’s culture and determination to be compliant, we made a voluntary decision to implement ISO 27001 and ISO 9001 certifications earlier last year – and we became certified.
With the ISO certifications, we embraced a degree of risk management from a perspective of an organization. The approach of GDPR is to leverage the risks of data subject rights. It is a different perspective, but the logic behind it stays the same: there are threats, possible impacts and mitigation strategies.
In order to further assure our clients that we really do mean it, Exponea just received a new “GDPR insurance certificate” with a special Cyber Enterprise Risk Management Insurance by AON.
Knowledge is power
A strong risk management approach helps us bridge the uncertainty and make the right decisions based on data.
Some matters are already clear today. We ensure with internal training that people who work with Exponea implement the basic privacy principles into their everyday thinking and actions.
We are currently working on an e-book to help our customers comply with GDPR requirements with a set of practical guides on how to do it using Exponea. Guides within our e-book will help you avoid losing millions on penalties.
Lenka Gondova: Exponea’s guru for GDPR has the answers
Lenka started consulting Exponea in their preparation for ISO 27001 certification.
Internally, she was hired as CISO (Chief Information Security Officer). Since she was appointed as Data Protection Officer (DPO), we stopped using the position of CISO to mitigate the risks GDPR brought into DPO’s independence restrictions.
Lenka’s background is in several areas that equipped her with a useful mix of different skills at the time when GDPR is coming into practice.
Her major experience area are of IT audits and IT security audits.
In the last 15 years she carried out general IT audits according to ISACA auditing standards and certification audits according to ISO 27001 or other ISO IT-related standards.
IT audits brought her to her two other certifications, gained during her IT risk management and IT governance years. They are both useful when coping with the diversity of GDPR requirements.
Lenka’s background in certifications:
CISA, CGEIT, CRISC, ISO 27001 LA, ISO 20000-1 LA, ISO 22301 LA, eIDAS LA, CSX-F, expert on auditing, risk management and governance who supports the local Office for Data Protection by creation of execution law for GDPR certification and DPIA.
CISA – Certified Information Systems Auditor
CGEIT – Certified in Governance of Enterprise IT
CRISC – Certified in Risk and Information Systems Controls,
ISO 27001 LA – Information Security Management Systems Lead auditor,
ISO 20000-1 LA – IT Service Management Systems Lead auditor,
ISO 22301 LA – Business Continuity Management System Lead auditor
eIDAS LA – Trusted Service Providers Certification Lead auditor
CSX-F – Cybersecurity Fundamentals certificate