Many organisations are concerned today about how to adapt to comply with the EU's General Data Protection Regulation (GDPR), but they should start by complying withe xisting standards, according to a panel of experts.
The GDPR is due to come into force in May 2018, and with guidance on how to comply still thin on the ground, some experts are advising firms to start with existing standards so they have a head start once the remaining compliance details are known.
Speaking at Computing's recent event ‘Getting ready for the GDPR', Neil Thacker, deputy CISO at Forcepoint says his firm focused on the ISO standards.
"If you're storing huge quantities of data, and most organisations doing that are moving their storage to the cloud, you have a requirement to do your due diligence on your suppliers," said Thacker. "We focused on the ISO standards, as they're internationally recognised. There are no specifics around the GDPR [written into the standards], but we are a processor of PI [personally identifiable] data, so we are ISO 27018 certified. And we recently achieved Cloud Security Alliance gold star standard having been assessed. None of these are requirements [under GDPR] but they show how mature we are as an organisation," he added.
University College London demands ISO 270001 certification from its cloud partners, according to Bridget Kenyon, head of security at the organisation.
"We ask for ISO 27001," said Kenyon. "One gotcha is bodies will say they can certify you but they're not actually authorised by UK to provide that. Also, you have to keep an eye on what scope is [of the certification]. BT's first press release [on the subject] said they're ISO certified, but it was only one tiny bit of a call centre [which was certified], not the entire organisation. ISO27001 draws a line around something and says just that bit's certified, so watch out for that. It also shows what security measures organisations have chosen to apply, so it's very useful," she said.
Experts at the event also discussed the issue of how long emails should be kept before being deleted, given that many firms will hold sensitive data in their email databases.
The GDPR will require many firms to recruit a Data Protection Officer, however a lawyer at the event advised firms that this role shouldn't default to the in-house lawyer, as it requires a broad range of skills, not just legal understanding.
IBM and Technical University of Munich team demonstrate how Shor's algorithm, which can't be cracked by conventional computers, can be solved quickly with quantum computing
Hubble Space Telescope finds superflares from young red dwarfs could strip away planetary atmosphere
Younger stars are 100 to 1,000 times more energetic than when they're older
Two of the big four supermarkets will use the system to control sales of restricted products
PUBG news and updates: November's Update #23 to bring new Skorpion pistol and changes to blue zone visibility
Genuinely useful side-arm coming to PUBG in Update #23