GDPR compliancy is data flow management problem
South African businesses need to understand that GDPR compliancy involves more than drawing up policy documents, creating dataflow diagrams and doing data protection impact assessments (DPIAs). The GDPR is all about the actual protection of personal information (PI).
No policy document or assessment actually protects PI. In other words, the access to, processing of, and storage of the actual PI is the whole point of the GDPR.
So says Gideon Bouwer, cyber law and criminal law forensics specialist at Cyberlaw Forensics, who will be presenting on "GDPR compliancy: dataflow management with regards to an integrated IT solution", at GDPR Update 2018, to be held from 6 to 9 November, at The Forum, in Bryanston.
He says local businesses need to physically protect and conform to the data processing of PI, as required by the GDPR.
"SA businesses will, therefore, have to implement IT systems that enable data protection by design and default. To merely identify the problem by data flow diagrams (DFDs), DPIAs and other GRC tools, is insufficient."
Data flow management
According to Bouwer, GDPR and POPIA compliancy is effectively a data flow management problem. "Dataflow can be described as the movement of data through an IT system comprised of software, hardware or a combination of the two."
The GDPR demands data protection by design and by default, he explains. Article 25 of the GDPR further demands data protection through all the key data flow areas. "This obligation applies to when personal data is collected, how it is processed, the period of its storage and the accessibility to the data."
Simply put, he says three key dataflow processes can be identified: "Data inflow, data retention and management, and data outflow."
Therefore, Bouwer says data flow awareness and data flow mapping is essential for organisations to conform to and embed data protection by design and by default into their processes. "DFDs and a DPIA will become par for the course for all SA businesses that fall under the GDPR."
However, neither of these make any business GDPR compliant, he adds. "These assessment tools merely identify the location of the PI and how it is processed. What the GDPR demands is the actual protection of the data subject's personal information."
It is these demands of the GDPR that will affect local businesses the most.
Delegates attending Bouwer's presentation will get to understand the difference between identifying the problem of GDPR compliancy and actually solving the problem of GDPR compliancy, through effective data management tools.
In addition, they will hear about securing PI, as opposed to merely identifying PI, through the use of effective data management tools. Finally, he will discuss tools for the identification of GDPR requirements, and tools for actual GDPR compliancy, through effective data management solutions.