EA case study - GDPR risk exposure

How big is our GDPR risk exposure?

Photo: Adobe Stock

Photo: Adobe Stock

The evaluation of our risk is loosely based on the model Claudio described in the last post.

As this company is startup with a low revenue is the scale for financial metrics not relevant for us.

The two factors we look at now is violation of regulatory and legal requirements and disruption of business activities. The reputation factor and financial implications is not in scope now.

Regulatory and legal requirements

The main part of our value chain is not covered by regulatory requirements, thus why we only focus on GDPR in this risk assessment.

We have published a description of which type of personal information each main process use, for long we use it and contact information for GDPR related questions on our site http://www.artmann.co.uk/quality/legal/gdpr

We can with a limited effort manually provide individuals with the actual information we have stored about them and update or remove information about them. This process is not documented in detail, so there is room for improvement.

However, the right to transfer information to an individual is not very well supported in our current IT-systems.

As we are a media company, and the vast amount if the data we manage is different type of media, not register information, is this difficult to manage. The challenges are among others are:

  • media that is work in progress, sometimes more than a year

  • media contains information about several persons and not separable

  • exception in GDPR for certain types of purposes

  • copyright laws

  • huge amounts of data

Right now, we don’t have a clear view if we are compliant or not with the regulations for transfer of personal information, neither documented in processes.

Disruption of business activities

The number of customers, suppliers and employees are low. The amount of sensitive information for customers, suppliers and employees is also low. But the number of individuals in each production is growing rapidly

We have huge amounts of media, some of them with sensitive personal information, but the majority of this material is managed with solutions that have more limited access rights and higher security measures.

The IT solutions are either hosted in the cloud or on-premise. The lack of single sign-on and different systems for management of access rights makes it hard for a hacker to get full access to all systems with one exploit.

We also update most software automatically, install security patches without delay and only supported versions of software.

This is why we assume that the risk for and consequences of a security breach is not very high.

Actions

We have to initiate a new GDPR project to resolve the open questions, primary about process documentation and transfer of data