IMPROVING UNDERSTANDING OF THE GDPR REQUIREMENTS BY ADVANCED TOOLS FOR COMPLIANCE ESTIMATION
1 National Laboratory of Computer Virology, Bulgarian Academy of Sciences (BULGARIA)
2 Institute of Mathematics and Informatics, Bulgarian Academy of Sciences (BULGARIA)
About this paper:
Conference name: 16th International Technology, Education and Development Conference
Dates: 7-8 March, 2022
Location: Online Conference
Abstract:
The General Data Protection Regulation (GDPR) entered into force at 25th of May 2018 and repealed the previous Directive 95/46/EC, the Data Protection Directive. The introduction of the GDPR poses a number of challenges to all organizations, regardless of their size and type. Their compliance with the requirements of the regulation and its unambiguous understanding by the organizations is a complex task, consisting of the implementation of principles such as Privacy by design and Least privilege. Organizations must be able to understand and document in detail the risks associated with data processing. They must be aware of what data they use, how they manage and protect it, and how they prove their compliance with regulatory requirements.
Improving organizational knowledge and skills, related to data protection and information security are difficult, time-consuming processes which are nevertheless required to maintain GDPR compliance. This requires constant awareness trainings and campaigns. For large organizations, the difficulties in achieving GDPR compliance are centered around the application of a single model for self-assessment and practical application of the necessary controls. For small and medium-sized organizations challenges can range from just developing the necessary competencies and skills to a conflict between GDPR compliance and profitability.
This paper represents the developed advanced tool for improving understanding of the GDPR and compliance estimation. The tool brings together tested and approved solutions for self-assessment and aims to facilitate a higher degree of compliance with GDPR requirements by increasing knowledge and awareness of data privacy.
GDPR compliance can be achieved by improving the understanding of these four main categories:
(1) Asset management,
(2) Managing data processing,
(3) Information security and
(4) Proof of compliance.
The periodic utilization of this tool can bring many benefits to an organization:
- improving the understanding of the GDPR requirements;
- achieving sufficient compliance with GDPR requirements,
- integrating principles like Privacy by design, Least functionality and Continuous improvement into business as usual;
- defining and prioritizing tasks related to the 4 main categories, mentioned above;
- defining a set of policies and standards that can facilitate the organizations to comply with GDPR.
The presented tool has been implemented and tested in scientific institutes of the Bulgarian Academy of Sciences and several universities in Bulgaria. As a result of the training process and the performed self-assessments for GDPR compliance, the organizations are developing a set of policies and procedures, which are in the process of approval and implementation at the time of writing this paper.Keywords:
GDPR understanding, General Data Protection Regulation, GDPR requirements, GDPR compliance, GDPR self-assessment.