GDPR is getting closer

Where to find the tools to build GDPR compliance

One of the biggest challenges facing companies rushing to comply with the European Union’s General Data Protection Regulation (GDPR) is choosing the right tools to get the job done. To make sure that you are equipped with all the right tools, I have put together a shopping list of international standards.

International standards produced by organizations like IEC and ISO are formal documents that describe, in great detail, technical criteria, methods, processes and practices. They reflect the consensus view of leading international experts on best practices.

But before we delve into the standards, here is a reminder of some of the key challenges facing the owners of online and mobile properties.

When the GDPR comes into force, on 25 May, it will have a humongous impact on web properties all over the world. It will affect all organizations, wherever they keep their servers, if they are reaching EU citizens online with any kind of information, content or service.

The owners of web properties will need explicit permission from their users to continue collecting, storing, analyzing, or sharing personal information, as they do now, with analytics companies, advertising partners, marketing groups and numerous other third-party entities. It will likely transform the way data is treated everywhere as businesses will want avoid the additional costs of managing different data regimes.

The GDPR will impose severe restrictions on the transfer of data outside the EU, both to other countries and international organizations. Full compliance will be a mandatory legal requirement to avoid severe sanctions, including fines of up to EUR 20 million — or 4% of global turnover, if the amount is higher.

Organizations across the world are racing against the clock to respect individual rights, increase data protection and to guarantee privacy on their websites. For those that can see beyond the nails, International Standards not only offer a complete toolkit of tried and tested technologies, but also are available online.

A reminder about the challenge

The GDPR covers a broad range of personal data, including online identifiers such as IP addresses and cookies, as well as credit card and health information at the other end of the scale. It will transform the way that organizations collect personal data, how they store it and how they use it.

In order to comply with an individual’s “right to be forgotten”, for example, organizations will have to be able to delete personal data whenever requested. The GDPR also enshrines the right to “data portability”: the idea that citizens should be able to transfer personal data easily between different service providers.

The GDPR will ensure that personal data is kept only with a client’s explicit consent, used only for the purpose for which it was obtained and stored no longer than necessary. Not only will permission to use data have to be clear and concise, but also users will be able to revoke it at any time.

Organizations will have to follow strict guidelines to ensure that data is always accurate and processed in a fair and consistent manner. If there are any security breaches, organizations will have to inform the relevant supervisory authorities within 72 hours.

As 25 May draws closer, developers are rebuilding websites to ensure there is no automatic collection of data whenever visitors land on a page. They are tweaking all kinds of software to guarantee privacy by design and default, but many online service providers remain concerned about compliance as the official guidelines are complex and sometimes difficult to relate to real world situations.

My shopping list

International Standards provide a robust and reliable framework, based on best practices identified by the leading industry and technology experts around the world, for gathering, storing and processing sensitive data in the context of different regulatory requirements. They provide not only a complete toolkit and methodology for data security management, but also demonstrate best practices from the real world.

ISO/IEC 27001 identifies potential risks to client and stakeholder data and ensures that organizations implement the relevant controls to mitigate them. It takes in encryption, ongoing testing and risk assessment and the ability to restore access to personal data quickly in the event of an incident.

Currently under development, ISO/IEC CD 27552 will soon deliver an enhancement to ISO/IEC 27001 for privacy management requirements. It covers processes for protecting the capture, accountability, availability, integrity and confidentiality of data.

Having the right staff with the right skills

Because not all risks are technology-based, it is essential that the technical staff responsible for data management in your organization have the required training, knowledge and skills.

Adhering to the relevant International Standards will ensure that you are implementing best practices effectively and efficiently. You will be using the right tools, systems and processes to protect personal data and to mitigate risks.

Implemented correctly, the standards on my shopping list will help you to build a new digital relationship with your clients. That is really what the GDPR is all about.

Related posts:

We are all tired of it. Not the masks. Well, yes the masks. But we’re even more tired of the “NBD” attitude everyone has toward them. So, wearing a mask is no big deal — to those who say so. But use…