This article is part of our Essential Guide: Essential guide to the EU General Data Protection Regulation (GDPR)

Security Think Tank: Key GDPR issues for infosec pros to address

What is the role of information security professionals in ensuring organisations comply with the EU General Data Protection Regulation (GDPR) by 25 May 2018?

The EU’s General Data Protection Regulation (GDPR) has moved from the realms of possibility to confirmation by 25 May 2018, galvanising organisations that operate in the European Union (EU), do business with organisations in the EU, or store data in the EU. When preparing to implement the required changes to current practices, there are numerous challenges the information security professional must be ready to address. Although we cannot list everything here, there are three key topics that provide a good starting point.

Privacy by design: Although many information security professionals will already focus on this, they will need to work with IT development and implementation teams and have a checklist for software/services suppliers, to ensure that privacy is designed into products, services and business processes. Understanding the information lifecycle and the technical infrastructure this data operates on (as well as externally provided services) will require expert input from the information security function.

Incident management: Again, many organisations will already have some incident management capabilities. For the GDPR these need to be strong enough to enable an organisation to react rapidly to any breaches and notify the relevant Data Protection Authority (DPA) within 72 hours. It is recommended that an information security incident management framework is established, supported by documented standards and procedures.

Awareness: Make everyone aware that the law is changing and they must understand the impact of the changes and their responsibilities. The policies and procedures for staff to follow must be in plain and understandable language, and easily accessible. Regularly testing staff around awareness – for example, with fake phishing emails – will help to support auditability and demonstrate that an organisation has done its utmost to protect the EU citizen data that it processes.

Read more about the role of infosec pros in GDPR compliance

The topics discussed are unlikely to be solely the responsibility of the information security professional – but they will have a key role in driving forward the adoption of and compliance with the EU GDPR in their organisation.

Maxine Holt is principal analyst at the Information Security Forum (ISF).



Read more on Privacy and data protection

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

GDPR is and will be second/ third level of IT Security. For quality solutions, we must change the basics -

or ttp://

If it does not work, so it has to change!!
Does that mean organizations need to notify DPA authorities within 72 hours of the breach, or within 72 hours of detecting the breach?
No doubt this will be from the point of detection as you cant report what is yet to be detected. That said you would also need to have a framework capable of detection.
I totally agree that incidences of data breach be recorded and reported, but within 72 hours, i would think by that time any proponents of this type breach would be long gone by the time the authorities had even time to blink.