The EU’s General Data Protection Regulation (GDPR) has moved from the realms of possibility to confirmation by 25 May 2018, galvanising organisations that operate in the European Union (EU), do business with organisations in the EU, or store data in the EU. When preparing to implement the required changes to current practices, there are numerous challenges the information security professional must be ready to address. Although we cannot list everything here, there are three key topics that provide a good starting point.
Privacy by design: Although many information security professionals will already focus on this, they will need to work with IT development and implementation teams and have a checklist for software/services suppliers, to ensure that privacy is designed into products, services and business processes. Understanding the information lifecycle and the technical infrastructure this data operates on (as well as externally provided services) will require expert input from the information security function.
Incident management: Again, many organisations will already have some incident management capabilities. For the GDPR these need to be strong enough to enable an organisation to react rapidly to any breaches and notify the relevant Data Protection Authority (DPA) within 72 hours. It is recommended that an information security incident management framework is established, supported by documented standards and procedures.
Awareness: Make everyone aware that the law is changing and they must understand the impact of the changes and their responsibilities. The policies and procedures for staff to follow must be in plain and understandable language, and easily accessible. Regularly testing staff around awareness – for example, with fake phishing emails – will help to support auditability and demonstrate that an organisation has done its utmost to protect the EU citizen data that it processes.
Read more about the role of infosec pros in GDPR compliance
The topics discussed are unlikely to be solely the responsibility of the information security professional – but they will have a key role in driving forward the adoption of and compliance with the EU GDPR in their organisation.
Maxine Holt is principal analyst at the Information Security Forum (ISF).