Transparency is one of our core values, and one of the basic principles of the GDPR.
Users, by which we mean citizens, partners, clients and customers, have a right to know what is going on with their data. Ideally documentation should be provided in a clear, easy to understand format, reformatted for the specific audience group that it is addressing i.e. likely level of technical knowledge, relationship to the data (customer, service owner etc.).
The current norm is over-complicated and over-long reports filled with legal statements about the purpose of the services, the data that they work with, and jargon-filled descriptions of the processes. This leads most people to rely on the management summary without checking whether the conclusions in the summary are actually consistent with the data given, making it easy to bury important information about problems within the body of the report.
The way forward
is to have the creativity to find solutions for complex constraints and to write about them in a way that makes them easy to understand.
For example, you could create a simple diagram which shows which organisations are involved in a certain service. The ITIL methodology, with which some of you may be familiar, shows simple diagrams from a bird’s eye view. If you want to know the details, you dive down into the subprocesses and continue down through the levels until you arrive at the basic work item.
When applying this to the question of security, you could easily
- highlight a particular stamp of the website showing the date of the last external penetration test.
- publish the process by which consumer requests are handled internally
- estimate an overall security barometer for infrastructures based on the degree of compliance to the CIS benchmarks.
When you start to look for ways to be transparent, there are lots of other creative solutions available. Why don’t we all start trying to find them and put them to use!