Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

GDPR Challanges

Hi all, I wish you an Happy 2018, the GDPR year... Quick question: In which area are you finding more difficulties in the implementation of the GDPR? A: Legal/Compliance B: Technical/Security C: Operations D: Awareness E: Other (Specify, please)
You must sign in to rate content.
(2 ratings)

Comments

RE: GDPR Challanges

C bringing GDPR operational is the main challenge since it will be continuous and it has to be lean (no overhead allowed). I am looking forward to the sharing of world class practices on GDPR implementations (no theory, but practical examples)
Marc VaelEnergizer at 1/5/2018 9:44:11 AM Quote
You must sign in to rate content.
(3 ratings)

RE: GDPR Challanges

Hi,
I do agree with the above point that its challenge in bringing in operations, at the same time its about awareness. Stakeholders are not that much serious about it.
Anand292Energizer at 1/6/2018 9:56:42 PM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

To Marc: we are hungry for practical examples ;) To Anand292: generally speaking, stakeholders are (almost) never serious about security/privacy stuff, aren't they?
Amedeo808Energizer at 1/7/2018 12:54:42 PM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

Awareness is the main issue. If we are able to get stakeholders appreciate the value GDPR provides in terms of compliance, privacy and enhanced security then Implementation will go smoothly and organizations will be able to appreciate the value across the enterprise.
AYODEJI837Social at 1/7/2018 1:14:37 PM Quote
You must sign in to rate content.
(1 ratings)

RE: GDPR Challanges

Hi, awareness is the main issue at the moment. As there is no practical examples yet, there are too many interpretations on what will happen after 25 May 2018. 
Moreover, legal/compliance and technical/security should work together in order to ensure compliance, which is sometimes not an easy task due to different approaches to work. 
Anna Vladimirova-KryukovaLively at 1/8/2018 1:00:37 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

I agree with Mark. ISACA Netherlands will organise at monday 29 januar a round Table in Eindhoven meeting to put all available practical experience together. Mark Vael, the Flemish collegues are more then welcome that evening. I will try to publish a link here to the results. We will try to get english translations. 
Gilbert van ZeijlSocial at 1/8/2018 2:18:17 AM Quote
You must sign in to rate content.
(Unrated)

RE: Overcoming the GDPR Challanges

I agree that the challenge is to transform legal requirements into practical implementations. But this is probably a political issue because of the "tug-of-war" between lawyers and the data processing professionals. The solution is to use COBIT as a guide. If an organisation has implemented the COBIT framework it will have established its governance framework, management system and many of the operational processes. All that is required is to extend this implementation to cover the GDPR. Practically this means: - extend the enterprise goals to include data protection goals - cascade data protection goals to functional area goals, and then to enabler goals - examine how the artefacts and activities that support the enabler goals impact the rights of data subjects - adjust the artefacts and activities to conform with the GDPR - extend existing operational processes to enable data subjects exercise their rights. We have taken our automated (web-based) COBIT governance and management system and customised it to be a "GDPR data protection management system". This means we link data protection principles and policies to operational activities within the COBIT processes using a management system (APO1). (This is not theory, its a fully functional data protection system for the GDPR based on COBIT.) For some COBIT processes we need to add controls to manage the data protection risks. For other processes we have to implement or extend the activities need to support the requirements of the GDPR. One of the features we have added is consent management since consent will probably be withdrawn and need to be refreshed. Finally we have changed our governance dashboard to include charts to show overall progress with the GDPR activities across the enterprise and areas.activites of high GDPR risk, % done within specific business processes and compliance of selected technologies. I can imagine that if a company has not actually implemented the COBIT framework and is not following the COBIT principles, then GDPR could be quite challenging.
peterhillEnergizer at 1/8/2018 4:46:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

I agree that the challenge is to transform legal requirements into practical implementations. But this is probably a political issue because of the "tug-of-war" between lawyers and the data processing professionals. The solution is to use COBIT as a guide. If an organisation has implemented the COBIT framework it will have established its governance framework, management system and many of the operational processes. All that is required is to extend this implementation to cover the GDPR. Practically this means: - extend the enterprise goals to include data protection goals - cascade data protection goals to functional area goals, and then to enabler goals - examine how the artefacts and activities that support the enabler goals impact the rights of data subjects - adjust the artefacts and activities to conform with the GDPR - extend existing operational processes to enable data subjects exercise their rights. We have taken our automated (web-based) COBIT governance and management system and customised it to be a "GDPR data protection management system". This means we link data protection principles and policies to operational activities within the COBIT processes using a management system (APO1). (This is not theory, its a fully functional data protection system for the GDPR based on COBIT.) For some COBIT processes we need to add controls to manage the data protection risks. For other processes we have to implement or extend the activities need to support the requirements of the GDPR. One of the features we have added is consent management since consent will probably be withdrawn and need to be refreshed. Finally we have changed our governance dashboard to include charts to show overall progress with the GDPR activities across the enterprise and areas.activites of high GDPR risk, % done within specific business processes and compliance of selected technologies. I can imagine that if a company has not actually implemented the COBIT framework and is not following the COBIT principles, then GDPR could be quite challenging.
peterhill at 1/8/2018 4:46:47 AM
What an interesting solution! I'd really like to take a close look to that system...
Amedeo808Energizer at 1/8/2018 12:43:12 PM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

All four areas have their own challenges. It varies depends on the type of the organization. GDPR is focus on personal data and data subject's right, that make it harder for many organization to translate that personal piece to their current infrastructure. While maintain a good posture at GRC and COBIT will ensure the overall controls and best practice when complying with GDPR from an operational perspective, there are more than the systematic improvements. Awareness is hard because it's not just providing a training session to teach others about GDPR, about the to-dos and don'ts, people really have to understand the importance of privacy, and be able to relate to themselves, and then proactively to help implement the "privacy by design". 
ShanShanSocial at 1/8/2018 2:01:04 PM Quote
You must sign in to rate content.
(1 ratings)

RE: GDPR Challanges

Currently experiencing B: Technical/Security AND C: Operations. Lucky to have our Executive Team providing full support, and retention of external Legal Counsel. IT Operations could struggle with the technical solutions required along with a new "thought process" to design data protection at the beginning of several software/hardware upgrades with legacy application limitations. Finding NIST SP-800 and ISO27000 references most reliable and valuable. Many GDPR Working Party publications are excellent, and wish there were more guidance documents from them! Possible solution to these challenges should occur through continuous monitoring and frequent [e.g., monthly] testing. It's good to be an IT Auditor collecting evidence of what works and demonstrate gap resolutions :-) The lack of good data protection design will be costly for many entities in future years. And then there's the Business that want their cake and eat it too!
AAJullienSocial at 1/12/2018 11:22:04 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

Currently experiencing B: Technical/Security AND C: Operations. Lucky to have our Executive Team providing full support, and retention of external Legal Counsel. IT Operations could struggle with the technical solutions required along with a new "thought process" to design data protection at the beginning of several software/hardware upgrades with legacy application limitations. Finding NIST SP-800 and ISO27000 references most reliable and valuable. Many GDPR Working Party publications are excellent, and wish there were more guidance documents from them! Possible solution to these challenges should occur through continuous monitoring and frequent [e.g., monthly] testing. It's good to be an IT Auditor collecting evidence of what works and demonstrate gap resolutions :-) The lack of good data protection design will be costly for many entities in future years. And then there's the Business that want their cake and eat it too!
AAJullienSocial at 1/12/2018 11:22:04 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

All four areas have their own challenges. It varies depends on the type of the organization. GDPR is focus on personal data and data subject's right, that make it harder for many organization to translate that personal piece to their current infrastructure. While maintain a good posture at GRC and COBIT will ensure the overall controls and best practice when complying with GDPR from an operational perspective, there are more than the systematic improvements. Awareness is hard because it's not just providing a training session to teach others about GDPR, about the to-dos and don'ts, people really have to understand the importance of privacy, and be able to relate to themselves, and then proactively to help implement the "privacy by design". 
ShanShanSocial at 1/8/2018 2:01:04 PM Quote
You must sign in to rate content.
(1 ratings)

RE: GDPR Challanges

I agree that the challenge is to transform legal requirements into practical implementations. But this is probably a political issue because of the "tug-of-war" between lawyers and the data processing professionals. The solution is to use COBIT as a guide. If an organisation has implemented the COBIT framework it will have established its governance framework, management system and many of the operational processes. All that is required is to extend this implementation to cover the GDPR. Practically this means: - extend the enterprise goals to include data protection goals - cascade data protection goals to functional area goals, and then to enabler goals - examine how the artefacts and activities that support the enabler goals impact the rights of data subjects - adjust the artefacts and activities to conform with the GDPR - extend existing operational processes to enable data subjects exercise their rights. We have taken our automated (web-based) COBIT governance and management system and customised it to be a "GDPR data protection management system". This means we link data protection principles and policies to operational activities within the COBIT processes using a management system (APO1). (This is not theory, its a fully functional data protection system for the GDPR based on COBIT.) For some COBIT processes we need to add controls to manage the data protection risks. For other processes we have to implement or extend the activities need to support the requirements of the GDPR. One of the features we have added is consent management since consent will probably be withdrawn and need to be refreshed. Finally we have changed our governance dashboard to include charts to show overall progress with the GDPR activities across the enterprise and areas.activites of high GDPR risk, % done within specific business processes and compliance of selected technologies. I can imagine that if a company has not actually implemented the COBIT framework and is not following the COBIT principles, then GDPR could be quite challenging.
peterhill at 1/8/2018 4:46:47 AM
What an interesting solution! I'd really like to take a close look to that system...
Amedeo808Energizer at 1/8/2018 12:43:12 PM Quote
You must sign in to rate content.
(Unrated)

RE: Overcoming the GDPR Challanges

I agree that the challenge is to transform legal requirements into practical implementations. But this is probably a political issue because of the "tug-of-war" between lawyers and the data processing professionals. The solution is to use COBIT as a guide. If an organisation has implemented the COBIT framework it will have established its governance framework, management system and many of the operational processes. All that is required is to extend this implementation to cover the GDPR. Practically this means: - extend the enterprise goals to include data protection goals - cascade data protection goals to functional area goals, and then to enabler goals - examine how the artefacts and activities that support the enabler goals impact the rights of data subjects - adjust the artefacts and activities to conform with the GDPR - extend existing operational processes to enable data subjects exercise their rights. We have taken our automated (web-based) COBIT governance and management system and customised it to be a "GDPR data protection management system". This means we link data protection principles and policies to operational activities within the COBIT processes using a management system (APO1). (This is not theory, its a fully functional data protection system for the GDPR based on COBIT.) For some COBIT processes we need to add controls to manage the data protection risks. For other processes we have to implement or extend the activities need to support the requirements of the GDPR. One of the features we have added is consent management since consent will probably be withdrawn and need to be refreshed. Finally we have changed our governance dashboard to include charts to show overall progress with the GDPR activities across the enterprise and areas.activites of high GDPR risk, % done within specific business processes and compliance of selected technologies. I can imagine that if a company has not actually implemented the COBIT framework and is not following the COBIT principles, then GDPR could be quite challenging.
peterhillEnergizer at 1/8/2018 4:46:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

I agree with Mark. ISACA Netherlands will organise at monday 29 januar a round Table in Eindhoven meeting to put all available practical experience together. Mark Vael, the Flemish collegues are more then welcome that evening. I will try to publish a link here to the results. We will try to get english translations. 
Gilbert van ZeijlSocial at 1/8/2018 2:18:17 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

Hi, awareness is the main issue at the moment. As there is no practical examples yet, there are too many interpretations on what will happen after 25 May 2018. 
Moreover, legal/compliance and technical/security should work together in order to ensure compliance, which is sometimes not an easy task due to different approaches to work. 
Anna Vladimirova-KryukovaLively at 1/8/2018 1:00:37 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

Awareness is the main issue. If we are able to get stakeholders appreciate the value GDPR provides in terms of compliance, privacy and enhanced security then Implementation will go smoothly and organizations will be able to appreciate the value across the enterprise.
AYODEJI837Social at 1/7/2018 1:14:37 PM Quote
You must sign in to rate content.
(1 ratings)

RE: GDPR Challanges

To Marc: we are hungry for practical examples ;) To Anand292: generally speaking, stakeholders are (almost) never serious about security/privacy stuff, aren't they?
Amedeo808Energizer at 1/7/2018 12:54:42 PM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

Hi,
I do agree with the above point that its challenge in bringing in operations, at the same time its about awareness. Stakeholders are not that much serious about it.
Anand292Energizer at 1/6/2018 9:56:42 PM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

C bringing GDPR operational is the main challenge since it will be continuous and it has to be lean (no overhead allowed). I am looking forward to the sharing of world class practices on GDPR implementations (no theory, but practical examples)
Marc VaelEnergizer at 1/5/2018 9:44:11 AM Quote
You must sign in to rate content.
(3 ratings)

RE: GDPR Challanges

Awareness is the main issue. If we are able to get stakeholders appreciate the value GDPR provides in terms of compliance, privacy and enhanced security then Implementation will go smoothly and organizations will be able to appreciate the value across the enterprise.
AYODEJI837Social at 1/7/2018 1:14:37 PM Quote
You must sign in to rate content.
(1 ratings)

RE: GDPR Challanges

All four areas have their own challenges. It varies depends on the type of the organization. GDPR is focus on personal data and data subject's right, that make it harder for many organization to translate that personal piece to their current infrastructure. While maintain a good posture at GRC and COBIT will ensure the overall controls and best practice when complying with GDPR from an operational perspective, there are more than the systematic improvements. Awareness is hard because it's not just providing a training session to teach others about GDPR, about the to-dos and don'ts, people really have to understand the importance of privacy, and be able to relate to themselves, and then proactively to help implement the "privacy by design". 
ShanShanSocial at 1/8/2018 2:01:04 PM Quote
You must sign in to rate content.
(1 ratings)

RE: GDPR Challanges

C bringing GDPR operational is the main challenge since it will be continuous and it has to be lean (no overhead allowed). I am looking forward to the sharing of world class practices on GDPR implementations (no theory, but practical examples)
Marc VaelEnergizer at 1/5/2018 9:44:11 AM Quote
You must sign in to rate content.
(3 ratings)

RE: GDPR Challanges

Hi,
I do agree with the above point that its challenge in bringing in operations, at the same time its about awareness. Stakeholders are not that much serious about it.
Anand292Energizer at 1/6/2018 9:56:42 PM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

To Marc: we are hungry for practical examples ;) To Anand292: generally speaking, stakeholders are (almost) never serious about security/privacy stuff, aren't they?
Amedeo808Energizer at 1/7/2018 12:54:42 PM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

Hi, awareness is the main issue at the moment. As there is no practical examples yet, there are too many interpretations on what will happen after 25 May 2018. 
Moreover, legal/compliance and technical/security should work together in order to ensure compliance, which is sometimes not an easy task due to different approaches to work. 
Anna Vladimirova-KryukovaLively at 1/8/2018 1:00:37 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

I agree with Mark. ISACA Netherlands will organise at monday 29 januar a round Table in Eindhoven meeting to put all available practical experience together. Mark Vael, the Flemish collegues are more then welcome that evening. I will try to publish a link here to the results. We will try to get english translations. 
Gilbert van ZeijlSocial at 1/8/2018 2:18:17 AM Quote
You must sign in to rate content.
(Unrated)

RE: Overcoming the GDPR Challanges

I agree that the challenge is to transform legal requirements into practical implementations. But this is probably a political issue because of the "tug-of-war" between lawyers and the data processing professionals. The solution is to use COBIT as a guide. If an organisation has implemented the COBIT framework it will have established its governance framework, management system and many of the operational processes. All that is required is to extend this implementation to cover the GDPR. Practically this means: - extend the enterprise goals to include data protection goals - cascade data protection goals to functional area goals, and then to enabler goals - examine how the artefacts and activities that support the enabler goals impact the rights of data subjects - adjust the artefacts and activities to conform with the GDPR - extend existing operational processes to enable data subjects exercise their rights. We have taken our automated (web-based) COBIT governance and management system and customised it to be a "GDPR data protection management system". This means we link data protection principles and policies to operational activities within the COBIT processes using a management system (APO1). (This is not theory, its a fully functional data protection system for the GDPR based on COBIT.) For some COBIT processes we need to add controls to manage the data protection risks. For other processes we have to implement or extend the activities need to support the requirements of the GDPR. One of the features we have added is consent management since consent will probably be withdrawn and need to be refreshed. Finally we have changed our governance dashboard to include charts to show overall progress with the GDPR activities across the enterprise and areas.activites of high GDPR risk, % done within specific business processes and compliance of selected technologies. I can imagine that if a company has not actually implemented the COBIT framework and is not following the COBIT principles, then GDPR could be quite challenging.
peterhillEnergizer at 1/8/2018 4:46:47 AM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

I agree that the challenge is to transform legal requirements into practical implementations. But this is probably a political issue because of the "tug-of-war" between lawyers and the data processing professionals. The solution is to use COBIT as a guide. If an organisation has implemented the COBIT framework it will have established its governance framework, management system and many of the operational processes. All that is required is to extend this implementation to cover the GDPR. Practically this means: - extend the enterprise goals to include data protection goals - cascade data protection goals to functional area goals, and then to enabler goals - examine how the artefacts and activities that support the enabler goals impact the rights of data subjects - adjust the artefacts and activities to conform with the GDPR - extend existing operational processes to enable data subjects exercise their rights. We have taken our automated (web-based) COBIT governance and management system and customised it to be a "GDPR data protection management system". This means we link data protection principles and policies to operational activities within the COBIT processes using a management system (APO1). (This is not theory, its a fully functional data protection system for the GDPR based on COBIT.) For some COBIT processes we need to add controls to manage the data protection risks. For other processes we have to implement or extend the activities need to support the requirements of the GDPR. One of the features we have added is consent management since consent will probably be withdrawn and need to be refreshed. Finally we have changed our governance dashboard to include charts to show overall progress with the GDPR activities across the enterprise and areas.activites of high GDPR risk, % done within specific business processes and compliance of selected technologies. I can imagine that if a company has not actually implemented the COBIT framework and is not following the COBIT principles, then GDPR could be quite challenging.
peterhill at 1/8/2018 4:46:47 AM
What an interesting solution! I'd really like to take a close look to that system...
Amedeo808Energizer at 1/8/2018 12:43:12 PM Quote
You must sign in to rate content.
(Unrated)

RE: GDPR Challanges

Currently experiencing B: Technical/Security AND C: Operations. Lucky to have our Executive Team providing full support, and retention of external Legal Counsel. IT Operations could struggle with the technical solutions required along with a new "thought process" to design data protection at the beginning of several software/hardware upgrades with legacy application limitations. Finding NIST SP-800 and ISO27000 references most reliable and valuable. Many GDPR Working Party publications are excellent, and wish there were more guidance documents from them! Possible solution to these challenges should occur through continuous monitoring and frequent [e.g., monthly] testing. It's good to be an IT Auditor collecting evidence of what works and demonstrate gap resolutions :-) The lack of good data protection design will be costly for many entities in future years. And then there's the Business that want their cake and eat it too!
AAJullienSocial at 1/12/2018 11:22:04 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.