Assurance Considerations for Ongoing GDPR Conformance

If you have reviewed my bio, you are aware that I have more than 30 years of experience in all aspects of information systems. I started out as a BASIC programmer working for a small software company where many of the customers were still using computers that ran the CP/MDelony, D.; “CP/M operating system with 8-inch floppy disks. Computer literacy and the accompanying controls (e.g., encryption) were only in their infancy, so, for testing purposes, we often requested that copies of clients’ data were sent to us in the post. We once received a photo copy of a disk. On another occasion, the disks were folded in half so that they would fit in an envelope.

I, and the industry at large, have been through several projects since then including the Millennium Bug (Y2K), the Euro Conversion and, most recently, the EU General Data Protection Regulation (GDPR). However, there is a significant difference between GDPR and the other projects. While the former had hard deadlines, the latter is something with which our enterprises must continue to comply.

So, now, how can we mitigate the ongoing risk of nonconformance? How can we ensure that the newly developed GDPR processes and procedures transition into day-to-day practices and become business as usual?

Early in 2018, ISACA released Implementing the General Data Protection Regulation. Annex 1 of the document defined nine core GDPR processes in a COBIT 5-like process model to form a data protection management system (DPMS). These processes should be mapped to your enterprise’s existing GDPR processes and reviewed from an assurance perspective.

Learn More