Many organisations are concerned today about how to adapt to comply with the EU's General Data Protection Regulation (GDPR), but they should start by complying withe xisting standards, according to a panel of experts.
The GDPR is due to come into force in May 2018, and with guidance on how to comply still thin on the ground, some experts are advising firms to start with existing standards so they have a head start once the remaining compliance details are known.
Speaking at Computing's recent event ‘Getting ready for the GDPR', Neil Thacker, deputy CISO at Forcepoint says his firm focused on the ISO standards.
"If you're storing huge quantities of data, and most organisations doing that are moving their storage to the cloud, you have a requirement to do your due diligence on your suppliers," said Thacker. "We focused on the ISO standards, as they're internationally recognised. There are no specifics around the GDPR [written into the standards], but we are a processor of PI [personally identifiable] data, so we are ISO 27018 certified. And we recently achieved Cloud Security Alliance gold star standard having been assessed. None of these are requirements [under GDPR] but they show how mature we are as an organisation," he added.
University College London demands ISO 270001 certification from its cloud partners, according to Bridget Kenyon, head of security at the organisation.
"We ask for ISO 27001," said Kenyon. "One gotcha is bodies will say they can certify you but they're not actually authorised by UK to provide that. Also, you have to keep an eye on what scope is [of the certification]. BT's first press release [on the subject] said they're ISO certified, but it was only one tiny bit of a call centre [which was certified], not the entire organisation. ISO27001 draws a line around something and says just that bit's certified, so watch out for that. It also shows what security measures organisations have chosen to apply, so it's very useful," she said.
Experts at the event also discussed the issue of how long emails should be kept before being deleted, given that many firms will hold sensitive data in their email databases.
The GDPR will require many firms to recruit a Data Protection Officer, however a lawyer at the event advised firms that this role shouldn't default to the in-house lawyer, as it requires a broad range of skills, not just legal understanding.
Dr Kuan Hon criticises GDPR consent emails that will only eviscerate marketing databases and 'media misinformation'
Apple squashes Steam Link app on 'business conflicts' grounds
Philip Hammond wants to forget rules that the UK agreed with the EU to ban non-European companies from the satellites
Instapaper to 'go dark' in Europe until it can work out GDPR compliance