How Will the Information Security Function Support GDPR Compliance?
Get Past the Confusion and Start Preparing Today
The effective date of the EU’s General Data Protection Regulation (GDPR) advances like a slow-motion tsunami rolling across the Atlantic. Yet despite the rising swell, many US organizations that trade in the EU are still on the fence, trying to figure out if and how GDPR will affect their business, according to a recent survey by NTT Security.
For those who have gotten past that first hurdle, there appears to be lingering confusion about the role the information security function plays in meeting GDPR compliance requirements. Lack of awareness of GDPR’s mandates may create a false sense of confidence emerging from a mindset that the EU’s data protection imperatives are areas that only data privacy professionals and attorneys worry about.
On the opposite spectrum are those who reason that their firms have GDPR covered, due to the IT security controls they have in place. Though prominent features of a robust data protection program, safeguards like firewalls, encryption, and network monitoring tools do not address the need for new or enhanced business processes in support of GDPR compliance. Indeed, as Kevin Townsend, Senior Contributor at SecurityWeek puts it, “GDPR is not just about security and the prevention of breaches — it’s just as much about how personally identifiable data is handled.” In other words, firms still stuck in the “security is an IT thing” mindset must break past this fallacy and address GDPR-enabling information security controls in a holistic manner.
Assuming the arguments above convince the reader, the next logical question on your mind should be: how much will it cost (in time and resources) our organization to comply with GDPR’s security requirements? To find an answer, information security leaders should conduct an assessment that identifies the overlaps and gaps between their current governance structure and GDPR’s standards. The assessment should seek information on all three classes (administrative, physical, and technical) of information security controls.
Firms still stuck in the “security is an IT thing” mindset must break past this fallacy and address GDPR-enabling information security controls in a holistic manner.
Now, here’s the good news. Firms that have committed to faithfully implementing an industry-accepted framework are well on their way towards supporting GDPR compliance. In fact, the GDPR Article 32 strongly encourages organizations to certify compliance with a leading information security framework, such as ISO/IEC 27001/2 or 27018 (for cloud service providers). Though there is, at the moment, no mechanism enabling organizations to “certify compliance” with guidelines like NIST CSF or the Baldrige Cybersecurity Framework, adherence framework may also reflect positively on one’s information security program.
The bottom line: US-based organizations need to quickly reconcile any misunderstandings about GDPR’s impact on the information security function, if they want to continue participating in today’s digital economy. Once firms acknowledge their obligations, the next important step is to conduct a GDPR readiness assessment to identify potential gaps in coverage. For those organizations who want to evaluate the quality and maturity of their GDPR-supporting information security processes, we recommend using a platform built for this purpose.
Adam Stone is Principal Consultant and Chief Privacy Officer for Twin Cities-based Secure Digital Solutions, LLC.