A large regional institution for higher education was highly aware of their responsibility for proper processing of personal data from all students and employees. Changes in ICT-facilities were an important impulse for the desire to improve on information security and raise awareness.
Audittrail was requested to perform a baseline status assessment in 2017 for both privacy and InfoSec to prepare for the impact of the GDPR legislation that was coming. The results from this assessment were used to gain insight in the risks involved and make recommendations on the necessary improvements to become GDPR secure and compliant. As a result, starting 2018 an Audittrail DPO was appointed. Simultaneously, Audittrail took on the role as project leader for the Taskforce IBP (InfoSec and Privacy), and to set up and execute a long-term awareness strategy.
- Baseline status assessment privacy and information security.
- Taskforce IBP and awareness campaign
- DPO continued
The organization had already done a lot in terms of InfoSec and Privacy compliance. In order to assure structural improvement, they asked Audittrail to deliver a project leader for an internal Taskforce. Our project leader, together with expert consultants, gave advice on reorganizing the internal governance for privacy and security compliance. Moreover, the Taskforce aimed to lift the organization to the next level of compliance.
In addition to mapping out a new governance organization, Audittrail was asked to plan and implement an awareness campaign. The general awareness campaign was expanded with social engineering (Mystery calling and phishing test), as well as a lecture by a well-known security-journalist. At a later stage we launched an e-Learning platform, specifically designed for Privacy and Security.
We delivered multiple documents at the end of the project. Firstly, a Security action plan for 2019-2020 was delivered. This included an extensive plan for an organization-encompassing audit cycle divided into multiple sprints.
For Privacy we delivered an overview of the different types of (sensitive) personal data that different departments processed. This insight was an important part of the register of data processing activities the organization aimed to maintain. In line with our philosophy to transfer knowledge and leave an organization fit to manage compliance independently, the organization was able to stay in control of privacy and security even after we completed the program.