Building trust in a GDPR world

Many EU-based companies, if not all, have extensive GDPR projects under way. Essentially all have business partners with which they exchange information. Understanding the distribution of responsibilities for these data exchanges in regards to complying with the GDPR is probably one of the areas with which companies are uncomfortable, as they do not have direct control over all of the processes at these business partners.

Companies need to rely on the systems and processes at these business partners for protecting and maintaining the information they share with them and their adherence to the contracts in place. We have been dealing with these types of ‘trust’ issues for a long time and we have seen how things played out in real life before. No matter how uncertain, complex, strict or vague, difficult or seemingly endless some of these new regulations appear, the market always finds a way to work through it and create a new ‘business as usual’.

How a company chooses to provide their business partners with this trust is dependent on a number of factors. Based on what we see in other countries and how companies react to these needs, one of the most sought after solutions will be the issuance of attestation reports. We can expect that more customers will be putting specific clauses in their requests for proposals and choosing vendors or business partners that can provide the level of assurance provided by these reports. It remains to be seen whether a certification track may also be a possible solution, but we would expect that, as we have seen in other countries, the path to certification would at least be supported by the issuance of attestation reports.

There remain numerous questions as to how this will develop. What role will the local regulators play in this going forward and what position will they take as to attestation versus certification? Will there be any GDPR certification possibilities in Norway? How will the methods implemented in other countries affect Norway’s chosen preferred method and will Norway have a choice to do anything but follow the pack? In any event, it will be exciting to see how this develops in the coming months and years.

Read the full article GDPR - The way forward to "business as usual" here. The article was published in Sirk in december 2018.

Read more about our services here.

GDPR Attestation Services

Download brochure

About the authors

Kevin F. McCloskey, CISA, CIA, CRMA
Kevin is a Director at Deloitte and has over 27 years of experience working with Third party Reporting (ISAE3402, SOC1 / SOC 2 / ISAE3000), Sarbanes Oxley compliance, IT Audit, information security consulting, internal audit and IT-based internal control services. He is currently leading Deloitte Norway's Third Party Attestation services group and is responsible for delivering multiple ISAE3402, SOC2 and ISAE3000 engagements to the Norwegian market.

Contact: | +47 913 68 848

Bjørn Jonassen, Partner
Bjørn is a privacy & cyber risk expert and program manager with more than 20 years experience in privacy, risk and IT consulting. He is a Partner in the Deloitte Cyber Risk Services in Norway and has a background from both the financial and IT sector. He has supported numerous clients in assessing and addressing privacy & GDPR compliance. Bjørn is proficient in local and EU privacy regulations in addition to several Cyber Risks and information security frameworks. He is certified as CISSP, CISM, ISO 27001 Lead implementer & Auditor and within ITIL.

Contact: | +47 992 27 420

Var denne siden nyttig?