Part 3: Illustrations for Data Protection and Information Security Audit Reports

This is a final part of illustrations for compliance reports. I would like to thank all, who contributed with ideas for these cute, but utterly confused little humans, that keep making mistakes. We forgive them their shortcomings, because they are cute and because they do try their best and they keep trying to improve.

Just like real humans in real world, where we are learning together by doing. Hopefully these illustrations will help you convey that message to your colleagues and encourage dialogue.

How you can use my sketches

These illustrations are for educational purposes, for use in internal printed awareness materials or digital documentation and reports ONLY.

You can use my sketches for free in your compliance documentation, but I require that you mention my name (once per documentation/material/training session) as an author of the illustrations.

These illustrations are NOT for online use on websites and NOT for commercial use. If you wish to use them on your website - contact me for explicit permission.

Tudekiks (Crybaby) - a bit of Danish humour

This one is by a special request from a friend. For the situations, where privacy and information security professional need a shoulder to cry on and a cookie for consolation.

Processes and Deadlines

Statistics of your internal issues, security breaches, audits with data processors and many more. Data protection and information security activities also generate data, and if used properly can give your upper management an understand of all the great work you do and how you contribute to your organisation.

When your internal processes are not robust, employees are frustrated and confused. That leads to mistakes and security breaches, that could be avoided, if your organisation followed clearly defined and tested procedures.

When processes are robust and give your colleagues feeling of safe and secure working conditions, where it is easy to know how to do the right thing.

Does your organisation have clearly defined guidelines on involving the necessary employees in the decision-making, when you consider buying a new IT-system or starting a new IT-project? Have you asked your DPO to provide relevant input?

Do you evaluate your investments into data protection and information security? Does your DPO have necessary and appropriate resources to do their work?

The importance of 72 hour deadline for reporting a security breach to the authorities is not about creating additional stress in already a tense situation. It is about helping your create robust processes for discovering, evaluating and managing security breaches. And remember it is better to send an incomplete report within the 72 hour deadline, while you are still investigating the breach, then to send a full report too late.

The expression of running around in confusion "like a headless chicken" can be used in the situations, where your internal processes create more pseudo-work, than provide any benefit during management and reporting of security breaches. :) It often happens, when people don't know what to do, so they end up doing too much and waste too much time on the wrong thing.

Not knowing what is the right thing to do can lead to embarrassment, which often results in employees hiding their mistakes. It is important to fight this 0-error culture and create a working environment, where learning from mistakes is a positive attitude. Clearly defined guidelines and processes can help create such environment.

Appropriate measures - is the most common answer, you get, when you ask your DPA for an advice on data processing activities. It can be hard to always know, what is the appropriate organisational or technical measure, but in this kind of situations - a little of common sense and practical approach can go a long way. You would not go outside with a full raincoat, boots and umbrella on a sunny day, cause that definitely be an overkill.

Yes - we need more of those in our organisations. If only we had a magic box, where those solutions lived. Fortunately, you have experienced and accomplished colleagues - they are a treasure trove of good ideas and different perspectives. Working together and involving different points of view - you will be able to find your common sense solutions that protect personal information and take your business forward.

Data is good. We love data. Data helps our societies thrive. That is why are have the regulations that provide framework on how we can protect our date together.

Data processing from persons (subjects) perspective

When you get frustrated with organisations processing your personal information without your permission or without your understanding of the activities. Can be used for all articles in Chapter III - Rights of the data subject.

When consent is used as legal basis for data processing, but the consent form is written in such a confusing language, that a person has no way of understanding what they exactly consenting to.

Danish version of the same illustration.

SAR - subject access requests. Every persons right to know what sort of personal information about them is being processed, for what purpose, for how long and whether it is correct.

When processing activities include persons with protected/secret address and location.

Protection of personal information and rights of the person are even more important, when the person is in a particularly vulnerable group. For example, physically og mentally ill person, who does not have the same capacity to object to the processing of their data or to complain about it to the local DPA. Therefore, responsibility to provide extra care in processing of personal data of such vulnerable people lies with the data controller.

Data is a valuable commodity. Everyone wants your data. But it is not always clear, why different organisations receive and process your personal information, so you have to be extra careful, where you store your data and how you share it.

That feeling your get after you read a particularly challenging privacy policy.

Danish society is among one of the most digitised people in the world. It has it many advantages, but also sometimes makes the hair on your head rise and burst with sparks and electricity from frustration and rage. Because the technology is made in such way, that is difficult for a human to understand and use. We have all experienced if when trying to log on to a public service and get help.

In such moments, I imagine we all look like Norse goddess Hel, because it feels like being in one such place.

In my mind, I always imagine judges as this wise persons with a mysterious look on the faces - like they know something. And you can never know they are thinking about a particularly challenging case or pondering a lunch menu :D

Working with data protection is an never ending process. But this series of illustrations has come to its conclusion. So it is only appropriate to end this article on an image that you can use to illustrate the statistics of your successfully finished data protection and information security projects, or security breach reports.

Finally

Let me know if you find this illustration useful and if you are using them in your materials and documentation. If you have ideas for other relevant illustrations for compliance activities - please share your ideas in the comments and I will consider making more illustrations later. :)