A GDPR shopping list
Updated: Apr 24, 2019
The American psychologist Abraham Maslow said that if the only tool you have is a hammer, the danger is that you start seeing nails everywhere.
One of the biggest challenges facing companies rushing to comply with the European Union’s General Data Protection Regulation (GDPR) is choosing the right tools to get the job done. To make sure that you are equipped with all the right tools, I have put together a shopping list of international standards.
International standards produced by organizations like IEC and ISO are formal documents that describe, in great detail, technical criteria, methods, processes and practices. They reflect the consensus view of leading international experts on best practices.
But before we delve into the standards, here is a reminder of some of the key challenges facing the owners of online and mobile properties.
When the GDPR comes into force, on 25 May, it will have a humongous impact on web properties all over the world. It will affect all organizations, wherever they keep their servers, if they are reaching EU citizens online with any kind of information, content or service.
The owners of web properties will need explicit permission from their users to continue collecting, storing, analyzing, or sharing personal information, as they do now, with analytics companies, advertising partners, marketing groups and numerous other third-party entities. It will likely transform the way data is treated everywhere as businesses will want avoid the additional costs of managing different data regimes.
The GDPR will impose severe restrictions on the transfer of data outside the EU, both to other countries and international organizations. Full compliance will be a mandatory legal requirement to avoid severe sanctions, including fines of up to EUR 20 million — or 4% of global turnover, if the amount is higher.
Organizations across the world are racing against the clock to respect individual rights, increase data protection and to guarantee privacy on their websites. For those that can see beyond the nails, International Standards not only offer a complete toolkit of tried and tested technologies, but also are available online.
A reminder about the challenge
The GDPR covers a broad range of personal data, including online identifiers such as IP addresses and cookies, as well as credit card and health information at the other end of the scale. It will transform the way that organizations collect personal data, how they store it and how they use it.
In order to comply with an individual’s “right to be forgotten”, for example, organizations will have to be able to delete personal data whenever requested. The GDPR also enshrines the right to “data portability”: the idea that citizens should be able to transfer personal data easily between different service providers.
The GDPR will ensure that personal data is kept only with a client’s explicit consent, used only for the purpose for which it was obtained and stored no longer than necessary. Not only will permission to use data have to be clear and concise, but also users will be able to revoke it at any time.
Organizations will have to follow strict guidelines to ensure that data is always accurate and processed in a fair and consistent manner. If there are any security breaches, organizations will have to inform the relevant supervisory authorities within 72 hours.
As 25 May draws closer, developers are rebuilding websites to ensure there is no automatic collection of data whenever visitors land on a page. They are tweaking all kinds of software to guarantee privacy by design and default, but many online service providers remain concerned about compliance as the official guidelines are complex and sometimes difficult to relate to real world situations.
My shopping list
International Standards provide a robust and reliable framework, based on best practices identified by the leading industry and technology experts around the world, for gathering, storing and processing sensitive data in the context of different regulatory requirements. They provide not only a complete toolkit and methodology for data security management, but also demonstrate best practices from the real world.
The best practices reflected encompass the fields of data security, information exchange, storage protection and processing. The ISO/IEC 27000 family of standards on security techniques for information technology provides a powerful framework for enabling organizations to benchmark against best practices in the implementation, maintenance and continual improvements of controls.
In this context, ISO/IEC 27001 is a significant standard in the ISO/IEC 27000 family. According to the international data protection experts, IT Governance, “a company that has implemented ISO/IEC 27001 has already done at least half the job of achieving GDPR compliance by minimizing the risk of a breach."
ISO/IEC 27001 identifies potential risks to client and stakeholder data and ensures that organizations implement the relevant controls to mitigate them. It takes in encryption, ongoing testing and risk assessment and the ability to restore access to personal data quickly in the event of an incident.
Currently under development, ISO/IEC CD 27552 will soon deliver an enhancement to ISO/IEC 27001 for privacy management requirements. It covers processes for protecting the capture, accountability, availability, integrity and confidentiality of data.
ISO/IEC 19592–1 and ISO/IEC 19592–2 define best practices in the cryptographic techniques used to protect the confidentiality of messages (“secret sharing”) in terms of general requirements and fundamental mechanisms. These techniques can be used to store sensitive data securely in distributed systems.
ISO/IEC 29100 describes a framework for the protection of personally identifiable information (PII) within information and communication technology (ICT.) ISO/IEC 27018 enables organizations to manage security issues related to PII on public clouds.
ISO/IEC 29101 identifies a framework and associated controls for the safeguarding of privacy in ICT systems that store and process PII.
With a focus on learning, education and training, ISO/IEC 29187–1 takes into account the public policy requirements that control the creation, use and interchange of personal data, as well as information life cycle management. These include, but are not limited to, regulations for consumer protection, privacy and individual accessibility.
Having the right staff with the right skills
Because not all risks are technology-based, it is essential that the technical staff responsible for data management in your organization have the required training, knowledge and skills.
Adhering to the relevant International Standards will ensure that you are implementing best practices effectively and efficiently. You will be using the right tools, systems and processes to protect personal data and to mitigate risks.
Implemented correctly, the standards on my shopping list will help you to build a new digital relationship with your clients. That is really what the GDPR is all about.