July 20th, 2017
Adam Stone, Principal and Chief Privacy Officer
How Will Information Security Support GDPR Compliance?
The effective date of the EU’s General Data Protection Regulation (GDPR) advances like a slow-motion tsunami rolling across the Atlantic. Yet despite the rising swell, many US organizations that trade in the EU are still on the fence, trying to figure out if and how GDPR will affect their business, according to a recent survey (PDF) by NTT Security.
For those who have gotten past that first hurdle, there appears to be lingering confusion about the role the information security function plays in meeting GDPR compliance requirements. Lack of awareness of GDPR’s mandates may create a false sense of confidence emerging from a mindset that the EU’s data protection imperatives are areas that only data privacy professionals and attorneys worry about.
On the opposite spectrum are those who reason that their firms have GDPR covered, due to the IT security controls they have in place. Though prominent features of a robust data protection program, safeguards like firewalls, encryption, and network monitoring tools do not address the need for new or enhanced business processes in support of GDPR compliance. Indeed, as Kevin Townsend, Senior Contributor at SecurityWeek puts it, “GDPR is not just about security and the prevention of breaches — it’s just as much about how personally identifiable data is handled.” In other words, firms still stuck in the “security is an IT thing” mindset must break past this fallacy and address GDPR-enabling information security controls in a holistic manner.
Assuming the arguments above convince the reader, the next logical question on your mind should be: how much will it cost (in time and resources) our organization to comply with GDPR’s security requirements? To find an answer, information security leaders should conduct an assessment that identifies the overlaps and gaps between their current governance structure and GDPR’s standards. The assessment should seek information on all three classes (administrative, physical, and technical) of information security controls.
Now, here’s the good news. Firms that have committed to faithfully implementing an industry-accepted framework are well on their way towards supporting GDPR compliance. In fact, the GDPR Article 32 strongly encourages organizations to certify compliance with a leading information security framework, such as ISO/IEC 27001/2 or 27018 (for cloud providers). Though there is, at the moment, no mechanism enabling organizations to “certify compliance” with guidelines like NIST CSF or the Baldrige Cybersecurity Excellence Builder, adherence framework may also reflect positively on one’s information security program.
The bottom line: US-based organizations need to quickly reconcile any misunderstandings about GDPR’s impact on the information security function, if they want to continue participating in today’s digital economy. Once firms acknowledge their obligations, the next major step is to conduct a GDPR readiness assessment to identify potential gaps in coverage. For those organizations who want to evaluate the quality and maturity of their GDPR-supporting information security processes, we recommend using a platform built for this purpose.
Adam Stone is Principal Consultant and Chief Privacy Officer for Twin Cities-based Secure Digital Solutions, LLC. SDS’ experienced data privacy and security professionals stand ready to assist your organization as you prepare for GDPR compliance. Choosing a SDS as your trusted advisor will help ensure that your efforts have maximum impact, even with limited budgets and resources. Contact Secure Digital Solutions today to learn more!
Now you can quickly identify, measure, prioritize and communicate the maturity of your information security processes using the industry-leading TrustMAPP® platform. Check us out at trustmapp.com or call 952-544-0234.