Many organisations are concerned today about how to adapt to comply with the EU's General Data Protection Regulation (GDPR), but they should start by complying withe xisting standards, according to a panel of experts.
The GDPR is due to come into force in May 2018, and with guidance on how to comply still thin on the ground, some experts are advising firms to start with existing standards so they have a head start once the remaining compliance details are known.
Speaking at Computing's recent event ‘Getting ready for the GDPR', Neil Thacker, deputy CISO at Forcepoint says his firm focused on the ISO standards.
"If you're storing huge quantities of data, and most organisations doing that are moving their storage to the cloud, you have a requirement to do your due diligence on your suppliers," said Thacker. "We focused on the ISO standards, as they're internationally recognised. There are no specifics around the GDPR [written into the standards], but we are a processor of PI [personally identifiable] data, so we are ISO 27018 certified. And we recently achieved Cloud Security Alliance gold star standard having been assessed. None of these are requirements [under GDPR] but they show how mature we are as an organisation," he added.
University College London demands ISO 270001 certification from its cloud partners, according to Bridget Kenyon, head of security at the organisation.
"We ask for ISO 27001," said Kenyon. "One gotcha is bodies will say they can certify you but they're not actually authorised by UK to provide that. Also, you have to keep an eye on what scope is [of the certification]. BT's first press release [on the subject] said they're ISO certified, but it was only one tiny bit of a call centre [which was certified], not the entire organisation. ISO27001 draws a line around something and says just that bit's certified, so watch out for that. It also shows what security measures organisations have chosen to apply, so it's very useful," she said.
Experts at the event also discussed the issue of how long emails should be kept before being deleted, given that many firms will hold sensitive data in their email databases.
The GDPR will require many firms to recruit a Data Protection Officer, however a lawyer at the event advised firms that this role shouldn't default to the in-house lawyer, as it requires a broad range of skills, not just legal understanding.
Holders of bitcoin could find themselves with free 'bitcoin cash' following a hard fork - but only if they have their private key
Ryzen shine: New microprocessors help boost AMD revenues by 19 per cent to $1.22bn in second quarter
Successful launch of Ryzen 5 and 7 CPUs helps boost sales at AMD
Flagship device also supports firm's modular MotoMod add-ons
Comes just week after firm announced plans to bin the service