General data protection regulation compliance at SMEs: guideline, incident response methodology, information security controls, and case company evaluation
Obanla, Olawale Michael; Sapozhnikov, Aleksei (2019)
Obanla, Olawale Michael
Sapozhnikov, Aleksei
2019
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-2019052110974
https://urn.fi/URN:NBN:fi:amk-2019052110974
Tiivistelmä
A multitude of small and middle enterprises are struggling to attain compliance with the General data protection regulation (GDPR) and it can be a challenge for companies to comprehend all the legal requirements. The purpose of the thesis was to help organizations understand the requirements of the Regulation, how data breach notification should be processed, and how to resist the incidence of data leakages caused by staff errors. The aim of the thesis was to create a GDPR guideline, GDPR personal data breach notification plan and form, to discover what are the most important information security controls regarding data leakages caused by staff errors; also, based on the research results, to evaluate the case company to encourage further development of information security system.
This work used the General data protection regulation as the main source of information to build a knowledge base for the thesis. Legal literature was used to define what compliance is, what are the stages of regulatory compliance development, and how compliance can be developed in organizations. Professional literature and research articles were reviewed on
such themes as information security management, risk management, and incident management, particularly ISO/IEC 27005 standard of 2018 and National Institute of Standards and Technology publications. InfoWatch report was examined to find information security controls that can consolidate the information security system of a company against most common data leakage types caused by staff errors.
To answer the research questions a thematic analysis of theoretical framework was used to create a simple structure for a guideline, data breach notification plan and form, and to find the most important information security controls against data leakages caused by staff errors. To construct a complete picture of how the case company approaches the requirements of the law, a semi-structured interview was conducted. The interview structure was framed on the research questions and their results, so that the questionnaire had three topics based on the GDPR guideline, data breach notification form and plan, and findings on information security controls.
The research results were reflected in the GDPR guideline, personal data breach notification plan and form, and additionally the research work defined the most important information security controls against data leakages caused by staff errors. The given work made an evaluation of the case company and proposed development measures towards fostering greater regulatory compliance and enhancing information security culture. The case company was presented with the development proposals and is developing its information security culture on the basis of the results of the evaluation.
The given work answers all three research questions and the results can be used by SMEs to prepare for the GDPR, personal data breach notification procedures, and to protect themselves against most common data leakage types caused by staff errors.
This work used the General data protection regulation as the main source of information to build a knowledge base for the thesis. Legal literature was used to define what compliance is, what are the stages of regulatory compliance development, and how compliance can be developed in organizations. Professional literature and research articles were reviewed on
such themes as information security management, risk management, and incident management, particularly ISO/IEC 27005 standard of 2018 and National Institute of Standards and Technology publications. InfoWatch report was examined to find information security controls that can consolidate the information security system of a company against most common data leakage types caused by staff errors.
To answer the research questions a thematic analysis of theoretical framework was used to create a simple structure for a guideline, data breach notification plan and form, and to find the most important information security controls against data leakages caused by staff errors. To construct a complete picture of how the case company approaches the requirements of the law, a semi-structured interview was conducted. The interview structure was framed on the research questions and their results, so that the questionnaire had three topics based on the GDPR guideline, data breach notification form and plan, and findings on information security controls.
The research results were reflected in the GDPR guideline, personal data breach notification plan and form, and additionally the research work defined the most important information security controls against data leakages caused by staff errors. The given work made an evaluation of the case company and proposed development measures towards fostering greater regulatory compliance and enhancing information security culture. The case company was presented with the development proposals and is developing its information security culture on the basis of the results of the evaluation.
The given work answers all three research questions and the results can be used by SMEs to prepare for the GDPR, personal data breach notification procedures, and to protect themselves against most common data leakage types caused by staff errors.