Information security – to say or to do, that is the question

Industry-related

Information security has been high on the agenda of organizations, especially after the new General Data Protection Regulation (GDPR), but also after the Swedish Transport Agency in 2017. Många organisationer arbetar flitigt med digitaliseringen och säkerheten kring hantering av digitala data, men ändå kommer det fortfarande in många klagomål och anmälningar till Datainspektionen om personuppgiftshantering á la GDPR.

GDPR – quality work or law enforcement?

On May 25, 2018, the General Data Protection Regulation (GDPR) was implemented in the EU, which is part of information security. Recently, the Swedish Data Protection Authority published a National Privacy Report that shows how the implementation of GDPR has gone for Swedish organizations. When it comes to privacy and data protection, the IT and telecom industry has come further than other industries. Half of public and private organizations consider that they are actively working on data protection through more structured quality work linked to their own activities.

The Swedish Data Protection Authority’s privacy report shows how companies, authorities and other organizations have worked to adapt to the regulation. Despite many complaints, reports and a decline in trust in social media and apps, the report shows that organizations have achieved a lot during the year.

Much has been achieved, but how far has it really gone?

The majority of citizens in Sweden know what the GDPR is and what rights it gives us as private individuals, but according to the Swedish Data Protection Authority, half of Sweden’s organizations lack active and continuous work on data protection. The report also suggests a lack of expertise on how to implement the regulation in smaller businesses, as well as low interest from management teams in some organizations. Public authorities and municipalities, on the other hand, face different challenges as they often have many and older systems that take a long time to integrate with new internal systems and cloud services.

How does Savecore work with information security & GDPR?

Savecore offers consulting services and technology solutions that can facilitate your organization’s work with information security. Anders Nordlander works in customer assignments as a certified data protection officer and has many years of experience in information security.

Here’s how to do it

Here Anders gives his insights on how to handle this as an organization.

1. Why should you work on information security?Everything is a matter of trust between different parties. Safeguarding privacy is essential as it involves both personal data and organizations’ digital information. If information is leaked, it is important that the organization acts effectively according to established procedures for incident reporting. The information needs to be classified as there are different types of information and digital data. You need to keep track of who has access to and where the information comes from and have a sound life cycle management; when should the information be saved? When should the information be archived or deleted? How do you do this with the best security?

2. What to consider about the GDPR?As an organization, you should be transparent and clear about how you use your customers’ personal data and information. The more transparent, clear and informative you work, the more trust you will gain with your customers. Information security with a focus on personal data management and the GDPR should be part of the daily quality work of organizations and be governed by business management, i.e. primarily through responsibility and authority.

3. How to proceed?By using common sense, communicating and raising awareness in your organization, you have good conditions to be able to work qualitatively with information security. This may sound obvious, but in practice it is mostly about getting everyone on board. To begin effective information security work with a focus on personal data management and GDPR, the basis is to determine the purpose and purpose of the processing of the above. The attitude should be not to process more personal data than you need. Here again, common sense comes into the picture of needs; what is it that you really need? Of course, you must keep track of the conditions surrounding your own activities for legal compliance, but when it comes to practice, it is mostly about how you do and not what you say you do.

Contact sales@savecore.se for more information.

Daniel Brorsson
System Architect

You might also like to read...

Cyber expert on the new ransomware wave

Industry-related

GitLab & Kubernetes Tutorial

Industry-related

Mattermost tutorial

Industry-related