GDPR and organizational measures
As an organization, you are responsible for the protection of privacy and information security.
You should also setup a policy and perform that policy.
That is easier to say than to do so.
Policy in three dimensions.
The law (GDPR)
requires what is allowed and what is not. If you ask a lawyer; privacy law then most likely you get an answer that is overloaded with legal terms and according to the law that you must comply with all the rules. You can get the feeling that business is impossible.
The information technology (IT)
This shows all what you can you protect and what are the possibilities for the security with IT. If you ask an IT specialist what we can do for the Privacy law you then you most likely get an answer that with passwords, encryption, firewalls, we can do a lot.
That is nice but if you 36 passwords and you must log in 52 x (very exaggerated of course) to connect to your data, then it becomes very cumbersome and unworkable.
The organizational structure and culture
This move on how the organization is organized about privacy laws and the employees. If you ask a business consultant what the Privacy Law means to you then probably you get the answer that this is very much to do with the attitude and behavior of the staff and management/Executive Board. How do they deal with the Privacy Act and what can be done and what should not?
As an entrepreneur, this gives to our idea “no clarity” about doing business and Privacy law.
The measures that are taken split up into two parts:
– System (automated) management measures
– Manual (organizational) management measures.
So that would mean that based on risk analysis and whether or not to accept the measures of such risks be determined following business processes. Thereby fits the GDPR-implementation in to how your organization works.