Part 2: Illustrations for Data Protection and Information Security Audit Reports

In this article I primarily focus on IT-security with some reflections on Data Protection sprinkled around the edges. Enjoy and as always leave some feedback and ideas in the comments for other relevant illustrations.

How you can use my sketches

These illustrations are for educational purposes, for use in internal printed awareness materials or digital documentation and reports ONLY.

You can use my sketches for free in your compliance documentation, but I require that you mention my name (once per documentation/material/training session) as an author of the illustrations.

These illustrations are NOT for online use on websites and NOT for commercial use. If you wish to use them on your website - contact me for explicit permission.

Exposition

Data visualisation can be roughly divided into a world of EXPLANATORY and a world of EXPLORATORY.

The first one is particularly suitable, when you present your expert opinion to a group of non-experts. While the second is perfect, when you want to engage and take your audience on a journey, where you together discover what is right and wrong, what is true and false.

This (IMO) is what our organisations need - to start a conversation about data protection and information security and together across departments EXPLORE, what is "the appropriate security measures" for that particular organisation, when it comes to protection of personal information. Just as it is from regulatory perspective an exploration of precedence and practical implementation of the law.

Therefore, my illustrations are explorative and open to different meanings and interpretations, so you can find the meaning that is relevant to your data protection reality.

Enjoy! ??

Implementation of GDPR is all about finding the balance between processing activities and protection of privacy. to find that sweet spot of "appropriate security measures" and just the right amount of investment into the compliance and documentation.

Explaining the importance of privacy can be challenging, when trying to illustrate something so intangible and invisible as tracking and data processing by the Small and the Big Tech. But in reality it would look like if several hundreds of people constantly followed you around taking notes of your every movement and mood and exchanging their notes with each other without asking your permission.

I am sure this would never be allowed or even considered acceptable in the physical world.

IT-security in general

Making the appropriate investments into IT-security can both protect your organisations and its operation from malicious actors, and also provide the appropriate levels of data protection to your customers. Having a conversation about investment into a new IT-infrastructure or security system.

Phishing attacks - a good way to start a conversation with your colleagues about clicking unknown links or suspicious emails. Always a good idea to take extra time and think if this could be a clever phishing attempt from a criminal.

Whale phishing - when the intended target of the attach is the upper management and the criminal is likely to go after CEO-fraud. It jumps at you, when you least expect it and is likely to explode into your face.

Maybe not exactly what you meant by "locking your computer", but high marks for trying. On the other hand, when it comes to securing your devices - there is never enough security due to Error 45. ??

Ransomware attack - when your own IT-equipment turns againts you and holds your data as ransom.

Information security policies

When you discover that your information security policy has not been reviewed and updated within a year. It is so forlorn and outdated that actual dust falls off it. Such a sad story! Maybe you should review and update it now.

Data protection and information security is a shared responsibility of all employees. Therefore it is important, that all employees are familiar with the relevant parts of the compliance documentation.

Various security breaches situations

Every organisation has one such employee, that thinks rules do not apply to them.

Or this could be a good illustration of relationship between a data controller and a particularly challenging data processor, that don't quite follow your instructions.

Another one of those Data Controller vs. Data Processor situations, when things have gone very wrong indeed. Or an illustration to explain White Hat Hacker and a Black Hat Hacker dynamics.

Understanding the risks, accepting the risks, managing and addressing the risks, placing the responsibility for appropriate management of risks. Risk avoidance.

That time, when you realise, that you came to send an email containing personal information to a wrong person. Or even worse - when a particular challenging system for communication between parents and school, shares passwords of all kids with all parents in the same school, in stead of an individual email. ??

It is always a good idea to keep your data in a orderly and structured way. The same way, it is always a good idea to keep your compliance documentation in order - both so that it is easier for employees to find and follow the guidelines, but also when your local Data Protecion Agency requests to send the documentation for audit within a narrow deadline.

Physical security

Physical security starts with securing your cables and wires.

Yes - we have all been there, crawling under that table, trying to establish some order in the multiple cables that seem to multiply by the hour and are never there, where you think they are.

Data processing in general

Our children from the very young age are exposed to technology and subjected to data collection and analysis. As they play with the digital toys - they in turn collect user data, behavioural data, biometric information etc. The makers of such toys unfortunately are not big proponents of "privacy by design" and "privacy by default". Therefore, responsibility falls on Data Controllers and Parents to make sure that tracking and surveillance features are turned off.

Use of technology and SoMe among teenagers. Same challenges with transparency, data collection and tracking across platforms. Lack of "privacy by design" and "privacy by default".

Art 5. Data minimisation, purpose limitation.

Don't you wish there was a huge DELETE button, that automatically deleted all old an unnecessary personal information. I always imagine mine looks like an Asian gong, that gives this deep satisfying sound that can be heard through the entire office building and motivates you employees to do the data clean up.

What considerations should your organisation make before migrating data from an old system to a new system. Article 35 - DPIA.

When you are left with more questions than answers. It is a good time for a conversation and cooperation to find out what you can do better together.

When your team deserves a High-five for completing a compliance project.

Finally

Let me know if you find this illustration useful and if you are using them in your materials and documentation. If you have ideas for other relevant illustrations for compliance activities - please share your ideas in the comments and I will publish more illustrations later. :)