Part 1: Illustrations for Data Protection and Information Security Audit Reports

If you are like me and wish that data protection and information security documentation was more engaging, then you would probably like the sketches that I am sharing in this article.

The sketches are done in neutral colours, so as to fit to any organisations colours. The few texts are currently in Danish, but I can quickly produce an English version on demand.

How you can use my sketches

These illustrations are for educational purposes, for use in internal printed awareness materials or digital documentation and reports ONLY.

You can use my sketches for free in your compliance documentation, but I require that you mention my name (once per documentation/material/training session) as an author of the illustrations.

These illustrations are NOT for online use on websites and NOT for commercial use. If you wish to use them on your website - contact me for explicit permission.

If you know me personally and feel like giving me some love - then a little chocolate will go a long way. For appropriate size of chocolate donations - please see picture below :P

You can download illustrations directly from the article with a suitable quality, or contact me if you need some better resolution or text in English. If you have other ideas for sketches - let me know and I will produce another batch soon.

My motivation

I have long been frustrated by 2 facts:

1. Most compliance documentation is produces with either no images at all, or with very slick graphs and tables, that only excite data-nerds and statisticians, but leave the average reader unengaged.
2. Most illustrations about information security and data protection that you can find online, are very generic cliché, standard stock footage and don't engage the average reader.

Therefore I wanted to explore the idea of creating Human - centered ("borger i centrum" - Danish) compliance imagery, that talks to our everyday struggles and accomplishments with data protection and information security. Current batch of images is inspired by activities in the public sector, but I will also be exploring industry-specific activities later, and I would appreciate your input, ideas and requests.

Processing of personal information in general

Hmm. we found some old personal information saved and stored in a place it should not be... How did it get here and how should we clean this data protection mess now?

Hmmm... I wonder, what sort of personal information we have in this old database?

OH! I have no idea how my personal information is being processed, who has access to it and for what reason. It feels like I have no control over my personal data.

Storing, sorting and structuring personal information is also a processing activity and has to be in compliance with data protection law.

Hey! - You have data and I have data - lets aggregate it. (But are you sure that you have legal basis for such data aggregation?)

IT security

Password protection can often feel like Mission Impossible.

Communication between person and organisation

Customer service/ municipality service communication with the person. Article 22

Customer service, communication with a robot, automatic decision making, Article 22.

Online communication in general.

Collection and processing of personal information during in self-service it-solutions. Security in online log-in solutions. Remembering password, MFA.

Audit in general

Yes, Audit (among other things) is about going through a lot of documentation and verifying that things are they way it supposed to be according to law and standards and finding deviations.

Your Audit reports are meant to be read and understood by a variety of employees within the organisation. So that they each can put appropriate corrective and preventive measures in place and improve compliance based on the audit findings.

Audit is like law, dispassionate and addresses the facts of the matter. And if you don't comply, then OFF with your head, or such something :D

Online surveillance and tracking

Is your websites privacy policies long and confusing? Or does it provide just the right amount of information to the user about personal information that you are processing about them?

Website cookies have to be in compliance too.

How much tracking of peoples personal information do you do?

Video surveillance.

Risk assessment

What is the probability of something going wrong here for the physical person?

What is the severity of the damage for the physical person?

Processing of personal information in care sector

Processing of personal information of children.

Processing of personal health information.

Finally

Let me know if you find this illustration useful and if you are using them in your materials and documentation. If you have ideas for other relevant illustrations for compliance activities - please share your ideas in the comments and I will publish more illustrations later. :)