Saturday, February 24, 2018


GDPR Implementation Project Plan


By John Kyriazoglou
Summary: This plan is an example of what actions you may take to implement a set of measures to comply with the EU GDPR legal and technical requirements.
You may consider using it and improving it to suit your own specific business operations after you conduct an analysis of your company’s objectives, needs and requirements.
For more details, please see the books listed in the ‘Resources’ paragraph at the end.

Step 1. Establish the project
Step 2. Establish the Data Privacy Governance Framework
Step 3. Establish the Data Privacy Organization
Step 4. Build up your personal data inventory
Step 5. Manage data subject rights
Step 6. Manage security and privacy of personal data
Step 7. Manage Personal data transfers
Step 8. Manage Processor compliance
Step 9. Execute Data Protection Impact Assessments
Step 10. Execute Data Protection by Design and Default

For more details, see:

Thursday, December 7, 2017

Technology Abuse in the Wired World

Technology Abuse in the Wired Workplace

Inspired by ancient Greek Wisdom

By John Kyriazoglou
Liability risks, productivity losses, service shutdowns, financial losses, brand and reputational damage, customer data and personal data breaches and large security gaps, to state only a few of the after-effects of intrusions are causing many board directors and managers to wonder what kind of ‘Pandora’s box’ they opened when their companies and organizations entered the electronic age by connecting to the Internet and carrying out their operations primarily via the Web and other e-Commerce platforms and applications.
In ancient Greek mythology, the story of ‘Pandora’s Box’ goes like this: ‘Pandora (Greek for ‘all-gifted’) was the first woman on earth. Zeus (the master of gods) ordered Hephaistus, the god of craftsmanship, to create her and he did it, using water and earth. The gods endowed her with many talents: Aphrodite gave her beauty, Apollo music, Hermes persuasion, and so forth. Hence her name: Pandora, ‘all-gifted’. When Prometheus (ancient Greek for ‘Forethought’) stole fire from heaven, Zeus took vengeance by presenting Pandora to Epimetheus (ancient Greek for ‘Afterthought’), Prometheus' brother. With her, Pandora had a jar which she was not to open under any circumstance. Impelled by her natural curiosity, Pandora opened the jar, and all evil contained escaped and spread over the earth. She hastened to close the lid, but the whole contents of the jar had escaped, except for one thing which lay at the bottom, and that was Hope’.

So we see that up to this day, whatever evils are upon us, hope never entirely leaves us; and while we have that, no amount of other ills can make us completely wretched.

I think the meaning of this story is that we have to manage technology and its impact (contained in Pandora’s jar) in all aspects of our personal and business life to benefit, as much as possible, the greater society2.

Coming back to the central issue of ‘how to manage these impacts better while gaining the benefits of the Internet technology’, the questions are:

Is the company making best use of IT systems, personnel and resources?

Are corporate managers prepared for both the tremendous responsibility and liability this places on both the board and the IT department?

Has the company implemented the best business management and IT controls to mitigate the intrusion and other risks while managing the debilitating effects of hacking and avoiding the huge fines imposed by the regulatory authorities on personal data and other breaches?

Saturday, November 25, 2017

By John Kyriazoglou

1. Description of the GDPR

The EU General Data Protection Regulation (GDPR) 
(Regulation (EU) 2016/679) is a regulation by which the European Commission intends to strengthen and unify data protection for individuals within the European Union (EU).
It also addresses export of personal data outside the EU. The Commission's primary objectives of the GDPR are to give citizens back the control of their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

When the GDPR takes effect, it will replace the official Directive 95/46/EC from 1995. The regulation was adopted on 27 April 2016. It enters into force 25 May 2018 after a two-year transition period and, unlike a directive, it does not require any enabling legislation to be passed by local (national) governments.

2. Security Measures and Controls
The GDPR requests (see articles 32 to 34 and recitals 39, 49, 52, 53, 71, 73, 75, 78, 81, 83, 85 to 88, 91 and 94) the company controller and the processor engaged in collecting, processing, storing and transferring personal data to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and establish a uniform data breach notification requirement to inform, within defined time limits,  both the data protection authority as well as the data subject involved, in the event of a data breach leading to the loss, access or disclosure of personal data, etc.
The following controls, methods and techniques may be utilized for the analysis, design, implementation, assessment and evaluation of your threat strategy and measures required to protect the personal data and other valuable IT assets, in any type of organization.

More details at:

Saturday, January 14, 2017

Critical Success Factors in Improving Corporate Performance

By John Kyriazoglou

1. Introduction

There are five typical questions (Q) that come to mind in evaluating and improving the corporate performance of any company:
Q1: Which are the critical success factors (CSFs) enabling the design and good operation of strategic controls to establish the performance framework and ensure the improvement of the performance of our company?
Q2: How do we target our bottom line and continuously improve our company’s performance?
Q3: Do all our business functions/units meet the corporate financial and other performance targets?
Q4: How do our business functions/units translate corporate targets into measurable actions?
Q5: How do we monitor implementation of these actions and their impact on our company’s profit and loss (P&L)?

My answer to the first question (CSFs) is presented next.

2. Critical Success Factors in Improving Corporate Performance

The critical success factors (CSFs) enabling the design and good operation of strategic controls are: management tools, performance measurement culture, training, professional knowledge, top management commitment, and modern reporting model. These are described below.

CSF 1: Management Tools. These include Policies, procedures and systems of corporate governance related to organization, financial management, human resource management, production, sales, IT management, etc.
CSF 2: Performance Measurement Culture. This includes establishing and enhancing the role of the performance management manager, adding resources to the performance measurement teams with the appropriate skills, dexterities and talents: financial management, sales, human resource management, IT systems development and operation, production process management, customer support, etc.
CSF 3: Training. Training and educating management staff is a must to enable them to acquire and enhance their skills on the analysis of all performance data (e.g., financial, customer, internal corporate processes, employee learning and development, etc.).
CSF 4: Professional Knowledge. Very strong knowledge of the given organization’s processes, the industry to which the organization belongs, the culture of the said organization and its business operating model, as well as effective inter-personal communication skills at all management levels are also required.
CSF 5: Top Management Commitment. Very strong commitment to performance is a must by all members of the executive board, corporate leadership, top management, management committees, various organizational committees, etc., and pursuing it to all levels (up, down, across) of the given organization, corporate management, organizational units, business functions, projects, systems, processes, stakeholders, etc.

CSF 6: Modern Reporting Model. The last CSF but also as important is an open and widely-distributed environment of information and know-how exchange regarding performance, and the production and support processes and a flexible, modern and continuously kept up-to-date reporting model for the organizational performance, and for the consequences of the organization’s operations  on the greater environment, society, economy, etc.

My answer to the other four questions (questions 2 to 5) are contained in my book described next.

3. Improving Corporate Performance with BSC                      

This book describes how to control better and improve your Company’s Strategy and Performance with the Balanced Scorecard Framework. It does this by identifying the concept and importance of strategic controls, describing the types of strategic controls (such as financial, output, IT, etc.), defining the roles and responsibilities of managers and others in these, proposing a Balanced Scorecard Approach to Strategic Control for all enterprises and organizations and providing examples of a Performance Management Policy, a Corporate Strategic Plan, and a set of audit checklists and Business Performance Measures.

1. Introduction
2. What is strategic control?
3. The Importance of Strategic Control
4. A Balanced Scorecard Approach to Strategic Control
5. Strategic Control Systems
6. Key Issues in Designing Strategic Control Systems
7. Critical Success Factors
8. Types of Controls (Financial, Output, Behavioral, IT)  
9. Roles and Responsibilities
10. Strategic Controls – Examples of BSC Implementation          
11. Review and Audit Tools and Techniques (Strategic Readiness Checklist (55 questions), Business Idea Development Checklist (11 questions), Corporate Strategic Plan Checklist (15 questions), Generic Performance Audit Program (16 questions))
12. Conclusion          
13. End Notes
14. Bibliography
Appendix 1: Performance Management Policy
Appendix 2: Corporate Strategic Plan-Example
Appendix 3: List of 42 Business Performance Measures (for finance, sales, production, management and IT)

4. Further Resources

For more details, see:
1. Improving Performance with Balanced Scorecard
2. Examples of  four BSC Case Studies

Thursday, December 15, 2016

Managing enterprises better in the 21st century

By John Kyriazoglou

1. Introduction

According to various sources1 ‘management control’ is a management function aimed at achieving defined goals within an established timetable, and usually understood to have three components:
(1) Setting standards,
(2) Measuring actual performance, and
(3) Taking corrective action.

In practical business terms, management controls, in a private company or public organizational environment, are used daily by managers and employees to accomplish the identified objectives of an organization (private company, public organization, or business entity, called ‘enterprise’ in this article).

Simply put, management controls are the operational methods that enable work to proceed as expected. 

Management is responsible for establishing and maintaining the business management control environment. Auditors play a role in a system of internal controls by performing evaluations and making recommendations for improved controls. Furthermore, every employee plays a role in either strengthening or weakening the specific company’s internal business management control system. Therefore, all employees need to be aware of the concept and purpose of internal business management controls.

How many, of these business management controls, however, does an enterprise need?

For more details, download the article from the following link:

Monday, November 28, 2016

Preparing for the EU General Data Protection Regulation (GDPR)

By John Kyriazoglou

Is your company ready?
What steps should you, as a manager, executive or board director take for your company by May, 2018?

My new book ‘Data Protection and Privacy Guide’ in five volumes (see links at the end), is designed to support you effectively in all these issues.

I am providing below a short summary of the GDPR and how it impacts your business operations (including your IT systems) and a flavor of what is contained in these volumes.

1. Introduction to the EU GDPR
On April 2016, the EU General Data Protection Regulation (GDPR) was approved, entering a two-year transition period (April 2016 to May 2018) during which member states and enterprises (private companies and public organizations) handling European residents’ personal data will need to adopt the new requirements. The Regulation introduces tough penalties for non-compliance, with breached organizations facing fines of up to 4% of annual global turnover or €20 million – whichever is greater.

The new law dramatically changes the way in which organizations approach personal data protection (for customers, employees, etc.), particularly in terms of access privileges. With financial penalties in place, which can be as much as 4 per cent of a corporation’s annual turnover, enterprises simply cannot afford to let personal data slip into the wrong hands through mismanagement or a malicious breach. One way to ensure this doesn’t happen is for personal data to be secured under lock and key with the help of identity governance, where entry is monitored and controlled around the clock, etc.

2. Preparing for the General Data Protection Regulation (GDPR)

What basic steps to take by May, 2018:

Step 1: Awareness. You should make sure that decision makers and key people in your company or organization are aware that the law is changing to the GDPR.
Step 2: Data Protection Officers. You should designate a Data Protection Officer, if required, or someone to take responsibility for data protection compliance and assess where this role will sit within your organization’s structure and governance arrangements.
Step 3: Personal Data you hold. You should document what personal data you hold, where it came from and who you share it with. You may need to organize a personal data audit, etc.
Step 4: Individuals’ rights. You should check your corporate procedures to ensure they cover all the rights individuals have, including how you will handle requests within the new timescales and provide any additional information, how you would delete personal data or provide data electronically and in a commonly used format, etc.
Step 5: Communicating privacy information. You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Step 6: Legal basis for processing personal data. You should look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it.
Step 7: Consent. You should review how you are seeking, obtaining and recording consent and whether you need to make any changes.
Step 8: Children. You should start thinking now about putting systems in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity.
Step 9: Data breaches. You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Step 10: Data Protection Impact Assessments (DPIA). You should familiarize yourself now with the guidance regarding when to carry out a DPIA. For example where a new technology is being deployed or where a profiling operation is likely to significantly affect individuals, etc.
Step 11: Data Protection by Design and by Default. You should ensure that all your products produced and sold and all services provided (including Information systems) by your company implement privacy and data protection according to the principles of the GDPR.
Step 12: International Operations. If your company operates internationally, you should determine which data protection supervisory authority you come under.

3. Resources to support you in implementing the EU GDPR
As noted above, my new book ‘Data Protection and Privacy Guide’ in five volumes (see links at the end), is designed to support you in all these issues.

This book, in 5 volumes, contains a complete set of methods, strategies, plans, policies, audit tools and other practical techniques to guide, support and facilitate you to effectively manage the personal data your company collects and processes and comply better with all privacy regulations (e.g. EU GDPR).

1. Data Protection and Privacy Management System: Data Protection and Privacy Guide – Vol I
2. DP&P Strategies, Policies and Plans: Data Protection and Privacy Guide – Vol II
3. Data Protection Impact Assessment: Data Protection and Privacy Guide – Vol III
4. Data Protection Specialized Controls: Data Protection and Privacy Guide – Vol IV
5. Security and Data Privacy Audit Questionnaires: Data Protection and Privacy Guide – Vol V

Thank you,

John Kyriazoglou

Monday, November 7, 2016

Data Protection Impact Assessment Toolkit

This is available at:


This document describes a set of methods and tools that enable, facilitate and support you in assessing your data protection risks and executing a Data Protection Impact Assessment
(DPIA) for existing as well as for new products, services, systems, functions and information systems, that collect, process and maintain personal data.

It may also be used to evaluate the data protection and privacy risks of the personal data your company collects, processes and stores and to comply with the requirements of the EU General Data Protection Regulation (Articles 27, 28, 34, 35, 36, 39, 53, 57, 58, 64 and recitals 53 and 58) for any enterprises located within the EU or doing business in the EU, regardless of their home base and central location offices (headquarters).

Table of Contents

Chapter 1: Summary of the New EU General Data Protection Regulation
Chapter 2: Data Protection Impact Assessment Methodology

Chapter 3: Data Protection and Privacy Audit Tools

Annex 1: Data Protection Impact Pre-Assessment Survey
Annex 2: Data Protection Risk Identification Questionnaire
Annex 3. Privacy Risk Register
Annex 4. Suggested DPIA Report Format
Annex 5. Proposed Risk Resolution Actions
Annex 6: Personal Data Checklist

This is available at: