In the previous chapter we discussed the details of the business needs. In this chapter we will discuss how to put together the full evaluation of the GDPR state of affairs in a typical mid/large enterprise.

Use the impact categories to evaluate each process and the overall state of affiairs. The full definition of each impact category is:

1. Violating the protection goals can result in legal consequences for an organization, e.g. in the form of fines or imprisonment

2. Depending on the extent to which an organization's business activities are dependent on information, a breach of the protection objectives may result in significant adverse effects

3. Information security incidents can damage an organization's reputation or have further negative impacts on its reputation

4. Non-compliance with the protection objectives may result in direct or indirect financial losses, such as losses due to manipulated financial data

Conclusion:

We have described a pragmatic and easy to follow approach that gives the DPO a way to evaluate and demonstrate the level of privacy a company has reached. The next step is to use an actual process and show case the framework by revisiting the EA Case study - Impact from GDPR.