In this video, Mandy Huth outlines runbooks and processes associated with GDPR. Learn about process objectives, runbook protocols, and technical information to include, as well as security details.
- [Instructor] Having appropriate processes and runbooks to outline execution procedures, are core tenets to an organization's ability to react to a data breach. A process is simply a series of actions or steps taken in a specific order. These processes can be automated or manual. They can be technical or not. The primary objective should be to standardize the process in a way that can be simply executed. Note that simple does not always mean easy for an organization.
Once a process is standardized, an organization can create a runbook with specific tasks and protocols. This type of reference can be beneficial in times of pressure or crisis, since many people can get disoriented and sidetracked due to being overwhelmed. Having a runbook also protects an organization in case a key participant is absent, by allowing an alternate person to execute those tasks. The more an organization includes in the runbook, the better prepared they will be.
Some core things to include are an overview of the system and its setup. An example of this would be the operating system platform and its current version, or perhaps the application that may be hosted on it. It's also important to include operational tasks, such as how to boot up the system and to run certain commands. Very, very important is a procedure for recovery. If a team needs to restore a system because it is lost, are those procedures documented in a way that they can execute? Not only is system configuration important, but including security actions help too.
Who is the system owner? Who has access to the system? Is the data flowing to or from the system or both? And how quickly does the system need to be recovered to minimize impact to the organization? These are all important questions that when included in the runbook, can help an organization decide on next steps. Enabling an organization with standard processes and tools will heavily influence their reaction time and capabilities during a data incident.
DISCLAIMER: Neither LinkedIn nor the instructor represents you, and they are not giving legal advice. The information conveyed through this course is not intended to give legal advice, but instead to communicate information to help viewers understand the basics of the topic presented. Certain concepts may not apply in all countries. The views (and legal interpretations) presented in this course do not necessarily represent the views of LinkedIn or Lynda.com.
- Compliance deadlines and penalties
- Data controllers and data processors under GDPR
- Exploring the role of the data protection office
- Technical measures outlined in the GDPR
- Reviewing the right to be forgotten and the situations that allow erasure
- Rules for children under the age of 16
- Breach notification