What are control measures?
In the European General Data Protection Regulation (GDPR), the legislator states that companies – taking into account the state of the art, the implementation costs and the nature and extent of the processing – organize data protection by design and by default settings (Article 25 of the GDPR). In English referred to as taking control measures “by design”. The GDPR even provides for the application of codes of conduct and certification (Articles 40 – 43 GDPR). It is reasonable to expect that IT suppliers will provide their IT systems with control measures “by design” with which personal data can be effectively protected.
The legislator encourages the management to organize its business activities effectively with business processes that include control measures that “by design” with the aim of effectively protecting (personal) data. Protecting data means that the data is reliable, confidential and accessible. In addition, management can take responsibility that the data is effectively protected.
From a business point of view, organizing business activities with business processes in which control measures are included “by design” with the aim of effectively protecting company and personal data and trade secrets is a common requirement of company management. After all, the value proposition of having and being able to use reliable data is extensive, see the business cases of the trust network.
The question is therefore: how effective are your control measures and do the measures “by design” protect your data effectively?
How can we help you?
Do you have questions about organizing, implementing or expanding effective measures? Our service owners are happy to discuss your needs, case and/or problem.
The nature and size of the business activities and the existing organization of the activities using business processes and supporting IT provide the context for inventorying and assessing the effectiveness of the control measures. After consultation of the findings with employees and suppliers of supporting IT systems, we advise how the control measures aimed at protecting data can be organized more effectively.
Depending on the business situation, we can identify the following steps:
- Step 1: The context explains the existing business situation, relevant legislation and gives direction to what must and what can be done. Overview and insight into the business activities form the expectations for business processes that include control measures. Using the business compliance function, a picture is created of the effectiveness of the control and security measures taken.
- Step 2: The department management and employees are valuable sources of information for estimating the effectiveness of the business processes and the control measures included therein. By seriously hearing from these employees, we not only open up a source of information, but also prepare the employees for any changes in the organization of business activities. A condition for opening up this source is bringing the knowledge to the employees to the desired level. We use targeted awareness and training programs for this. The technical information infrastructure is the business platform on which the management organizes the business activities. More and more companies are using popular platforms such as MS Azure, Google Cloud and Amazon Web Services to build and manage their business platforms. The – in principle – data-driven platforms offer a range of control measures that can be set up easily, cost-efficiently and effectively.
- Step 3: On the business platform, the company organizes its business activities using business processes that include control measures. The overview of and insight into the business processes in which the roles with tasks, authorities and responsibilities are included, the process models, provide an integral picture of access rules to data. We distil the control measures that we can expect in the applications from the integrated picture.
- Step 4: IT applications support the process models. Sometimes it concerns generic functions such as administration or human resources that are supported by generic applications. There are also primary business functions that are developed in-house or by IT suppliers on the basis of functional and non-functional specifications.
The non-functional specifications in particular indicate which agreements have been made about the security and control measures. The project documentation and compliance findings indicate to what extent the control measures are effective.
- Step 5: In the previous steps we have already discussed the findings of the business compliance function. Working together with the business compliance function provides a good picture of the appropriateness and effectiveness of the control measures taken.
- Step 6: The report usually consists of a report of findings, advice in which scenarios are elaborated, an outline plan of approach and a business case.
- Step 7: The report has been drawn up in collaboration with the relevant department management and employees.
This gives the report a realistic quality and there is usually sufficient support for the realization of the recommendations.
Every business organization is different and requires customization. Sometimes there are reasons that the management needs confirmation that the control and security measures are adequate. If confirmation is not forthcoming, the management wishes to have insight into the management and security measures to be taken and how to take these measures responsibly. A good conversation can be enough to allay uncertainty.