Where is the ‘low hanging fruit’ that you can pick easily without too much effort? Some things you can fix without needing to create business cases that take time with long justifications on why one should spend money on this specific project? Where are the ‘no brainers’? What you should do, once you’ve worked it out it’s quite obvious to all concerned!
Some EU countries has its own little quirks on their implementation of their national data protection laws. It’s these ‘quirks’ that are a little worrying, as they are by my definition deviations from what the EU Data Protection Directive has intended. Consequences are that they are further from meeting the new stronger requirements in the GDPR than other EU countries that have been stricter in their implementations such as UK and Germany.
Now in Sweden a ‘quirk’ is the ‘misbruksregler’, which I could strictly translate into the ‘misuse rules’ although this is actually wrong… but in my opinion more accurate than the actual translation 😀
What this rule states is that any personal data collected in an unstructured format is exempt from the Swedish data protection law (PUL). What this means is that all personal data that is captured in web forms for example, and sent to the Controller is exempt. So what you may think, it is only name and email address and some other stuff, like why the message was sent? However this is still personal data and in the GDPR must be treated as such.
This is one of those ‘no-brainers’ to find a ‘fix’. SecureMailbox is one such product, and the first product that Privasee stamped with a Privasee SEAL just beginning of February. First though you, as the Controller, have a single project (and perhaps a rather large one for the government sector) to just map all those hot web forms collecting citizens personal data 😉
Another ‘no-brainer’ especially in the private sector is something that came to my notice today. I was sat in a lunch seminar with NetSecure and NetSkope. Now Netskope is something called a ‘cloud broker’. They have a minimum of 60 guys/girls validating public cloud services and providing a rating on their compliance with privacy principles. For example one parameter, is who owns the personal data shared with the cloud provider? Now I liked that very much! For example, they evaluate different dropbox lookalike solutions and they get a colour coding based upon their security and privacy friendliness. They have functions to block services, and you have the information you need to make decisions on which services to block. It really is very relevant to BYOD and control over business information assets, and protection of personal data and most definitely a flavour of data loss prevention (DLP) without the complexity.
Is this security? I’m scratching my head over this, and yes, it is and more. It basically offers ‘confidence’ services, and are a new trend, and key to trust for whomever you may choose as your public cloud provider.
I’m not going to list more of the ‘no-brainer’ fixes in this post, there are loads, and I’m much too busy for that as following the work I’ve now completed on mapping the GDPR into the ISO 29100 Privacy Framework standard, I’m now mapping these no-brainers. So drop me a line if you want to help, or feel you have something to share!