Security problems we have to deal with today regarding Internet are created by ourselves. Internet, initially created to handle US Government data traffic, evolved to become communication between different research institutes. The protocols that were used had no security at all. Today we still use this network to almost everything and the complexity has grown tremendously. Compared to when the network initially was created, we now try to protect assets rather than just communicate, divide users according to permission and accessibility, and deal with privacy issues. Basically, everything is depending on the network that initially was created with no security.

Privacy has been a critical security aspect for the EU, but with the event of the GDPR privacy is both a legal aspect and an auditable ICT concept. GDPR includes topics like: owning your own data, independent of who collected it and where it is stored, and; the right to be forgotten. Each data collector also needs to have a complete data-flow map, describing any privacy data sets in a flow, to make these traceable and ready for audit inspection. Any organization handling EU residents’ data, needs to adhere to proactive Information Security processes. 

GDPR is based on the principles of Governance, Risk, and Compliance. It is not a purely legal construct; it is a management and strategy issue, not an IT issue. Further examples relate to cloud services with distributed resources, which illustrate the complex problem situation.

There is a need for a new perspective, moving from systems management to data flow management. We propose a systemic model which illustrate processes and flows within a fractal structure; we build on Beer’s Viable System Model. Such a model enables mapping of complexity and data flows and provide a tool for auditing and, thus, enable meeting the requirements of GDPR.