The European Union’s General Data Protection Regulation (GDPR) went into effect May 25. According to industry analysts, more than 50 percent of impacted businesses will not comply to the new standards despite the fact that fines can be as much as €20 million ($25M USD) or four percent of a company’s revenue from the prior year. Organizations will be held to higher standards for data security and will be liable for higher penalties if they violate the new GDPR regulations. This means organizations will need to be more proactive with their configurations, patches and security than ever before. They can no longer afford to succumb to the “If it ain’t broke, don’t fix it” mentality.
Article 25 of the GDPR requires organizations to have the necessary technical measures in place to abide by what it calls “privacy by design and by default.” Human Resources, finance, sales and customer support departments are all likely to be affected. But do not fear. Here are three existing practices and standards to make sure you are GDPR compliant.
- Payment Card Industry Data Security Standards (PCI DSS): Organizations that are PCI DSS compliant today can use the same control framework to achieve GDPR compliance. A PCI breach also can be considered a breach of personal data. Guidelines require companies that store credit card information to use data encryption and/or tokenization to be PCI compliant (Requirement 4). Compared to Article 32(1) in the GDPR, PCI DSS requires organizations to input controls to protect personal data by using pseudonymization and/or encryption.
- International Organization for Standardization/International Electrotechnical Commission (ISO/IEC): ISO/IEC already provides best practices that companies can leverage to handle personally identifiable information (PII) and assist their preparation for GDPR compliance. With ISO/IEC 270001 frameworks in place, organizations can manage data risk and ensure requirements are met with the appropriate controls and measures. Organizations on public cloud following ISO/IEC 27018 standards already have controls in place to support and process PII. Organizations that follow ISO/IEC frameworks and use Information Security Management Systems (ISMS) provide themselves a robust starting point to manage and build the security needed in protecting personal records.
- National Institute of Standards and Technology (NIST): Today many organizations look to the NIST for guidance regarding privacy and security. It provides the basis for engineering security controls and privacy protection. Standards within the NIST are correlated with the GDPR’s data privacy by default and/or data privacy by design mandate. Privacy and security are different, but the NIST provides the approach for mitigating risks during the design of privacy and information security to protect personal data.
Like most European IT standards, GDPR is designed as a set of non-prescriptive guidelines to address laws and regulations that will change over time. It does not need to be considered as a separate topic when an organization is assessing its compliance gaps. Instead, companies should look at how they can leverage regulations and practices that already exist.
ISG provides full end-to-end IT services that can help your organization develop digital strategies to comply with GDPR. Please contact me to discuss how we can solve your compliance challenges.