COBIT and GDPR - a perfect partnership?
Having spent many years working with COBIT, and more recently GDPR, I can't help but see endless cross over between the COBIT framework and the requirements for GDPR.
COBIT will ask you at the outset to:
- APO01.01 Define the organisational structure
- APO01.02 Establish roles and responsibilities and its activities
- APO01.06 Define information (data) and system ownership
- APO01.08 Maintain compliance with policies and procedures
The above tasks all align well with the Discover phase in GDPR Mentor, which is all about understanding what you have, and how it is used. Defyning your organisational structure to align with the GDPR Accountability Principle.
COBIT also documents
- BAI02 Manage Requirements Definition
- BAI03 Manage Solutions Identification and Build
The above also can be used to support your Privacy by Design & Data Protection Impact Assessments processes if you do not have existing processes to cover the above areas.
Within DSS02 Manage Service Requests and Incidents, COBIT also provides a framework for responding to incidents, allowing you to put in place processes for Breach Management & Subject Rights requests.
You could implement COBIT, or implement GDPR Mentor that has taken the above and applied specifically to GDPR
For further research on the COBIT framework can be found here: http://www.isaca.org/cobit/pages/default.aspx
Whilst COBIT alone will not get you to GDPR compliance, implementing the COBIT framework or GDPR Mentor (which may soon support COBIT #Roadmap) you will be ready to demonstrate control over your data should the worst case happen and you have a knock on the door from the ICO.
To find out more use the Contact Us form for an informal discussion about your GDPR challenges and if GDPR Mentor is a fit for your business.