By Brian Honan, CEO, BH Consulting
Many organisations are still trying to understand how GDPR will affect them, and what they will need to do to comply with it. The first thing to emphasise is that the General Data Protection Regulation is not an IT issue alone. It’s true that technical controls play a part in maintaining ongoing compliance, but GDPR is also a management issue. The proof is that the word ‘risk’ appears 75 times in the text of the regulation.
Where management goes, culture follows. Guidance from the top can ensure everyone in the organisation treats personal data responsibly. In practice, most organisations collect and use personal information about their customers or suppliers. Yet few of them know what they will need to do in order to comply with GDPR. Research commissioned by the Data Protection Commissioner found that 69 percent of SMEs have heard of the regulation, but 78 percent had not identified actions to take to become compliant.
One of the first steps to becoming compliant is for organisations to document what personal data they hold, where it originated and with whom it is shared. Measuring those processes against the requirements of GDPR makes it possible to identify gaps and address them.
This is where security frameworks such as ISO 27001 can help. GDPR comprises risk-based principles, so a risk-based security standard is well suited to mirroring the regulation’s requirements. ISO 27001 is a risk-based approach for securing valuable information and applies a high standard of controls to address areas like confidentiality, continuous protection, integrity and availability of information. Organisations can align the systems, controls, and processes they use for monitoring data assets with a widely accepted independent standard that is not aligned to any one technology or provider.
GDPR requires an organisation first to understand what data it holds, and all of the places where it is stored. This exercise, or data audit, not only helps to meet compliance requirements, it also has a business benefit. It will very likely uncover unnecessary duplicates of information or records that are no longer required. By deleting those copies, businesses can reduce the overhead of having to manage them. It also reduces the chances of being compromised or breached – an outcome that would be more likely to occur if an organisation does not know where it keeps all instances of its data.
There is no such thing as a magic bullet for GDPR compliance; but a series of actions to take. Just as solid foundations are the fundamental bedrock for building a house, ISO 27001 is a robust platform to give structure and support to data protection efforts.
ISO 27001 is more than just a set of guidelines to follow. There is a certification process to validate the work. The EU Data Protection Supervisor Giovanni Buttarelli said earlier this year that certification schemes “could bring great benefits” in helping organisations to navigate the GDPR. Accountability is one of the regulation’s key principles. Becoming certified to ISO 27001 demonstrates to all external stakeholders that the phrase ‘we take your security and privacy seriously’ isn’t just an empty promise but is the lived experience of the whole organisation.
BH Consulting will be presenting at the Certification Europe ISO 27001 Roadshow seminars. The Nationwide Roadshow stops off in Athlone on (Nov 9th) Belfast on November 16th at the Merchant Hotel, where an expert panel will discuss implementing an information security management system, and demonstrating compliance to GDPR. For more details, or to register click the image below.