Good Enough IT Risk Management

GDPR Compliance: Don’t Start from Scratch – Just Bridge the Gap

[fa icon="calendar"] Wednesday, 06 September 2017 / af Jakob Holm Hansen

Even though GDPR is right around the corner, it makes a lot of sense - practically and financially - to maintain your traditional information security measures, because compliance with the Data Protection Regulation both can and should build upon your existing security measures.

The EU, authorities, politicians, and others with a stake in data security, have managed to put GDPR at the top of the list for many private and public organisation. That’s very positive. However, this focus on GDPR has unfortunately meant that some organisations have neglected the necessary maintenance of their traditional information security, says Jesper E. Siig, Senior Security Advisor for Neupart. Instead of working with information security and data protection on two parallel tracks, Jesper encourages organisations to build upon the foundation of existing information security processes. For many public and private organisations, those will often be based on the ISO 27001 standard.

Struggle to cover everything

“When we ask organisations how far along they are in their GDPR preparations, they often tell us they struggle to tick all the boxes before May next year. As a result, they often neglect their ISO maintenance,” says Jesper.

It's not because organisations have any intentions of setting aside the information security they have built up over the years. There are just too many that don’t build their GDPR compliance upon their existing security measurements, even though that’s exactly what they should be doing.

“The ICO has already emphasized that the GDPR is an evolution in data protection, meaning it builds upon established best practices. By bridging the gap instead of starting from scratch, you save both time and energy,” explains Jesper E. Siig.

Parallels Between the ISO Standards and the GDPR 

If you dig a little deeper in the Data Protection Regulation, article 32 specifically focuses on information security and how organisations should meet new requirements in the regulations. It says, among other things, that as a Data Controller you must have adequate technical and organisational measurements in place. These measurements can be implemented with help from both the ISO 27001 and ISO 27002 standards for information security.

The regulation requires that you can ensure confidentiality, integrity, and accessibility, and that you can re-establish the access to personal data. These are all classic requirements within the world of information security.

Lastly, the GDPR focuses on building your safety measures on the most direct risks. It’s this same risk-based practice that is the foundation of the ISO 27001 standard.

Don’t Throw the Baby Out!

In other words, you shouldn’t throw the baby out with the bathwater when it comes to information security, GDPR, and personal data protection. Many public and private organisations are already following the right processes, and they simply need to keep doing that.

As Jesper E. Siig says: “The better you maintain your existing information security, the closer you are to automatically complying with the Data Protection Regulation.”

 

Want to Get Started on Your GDPR Compliance?

Sign up for our event in Data Protection: Your Roadmap to Compliance. We promise strong coffe, good breakfast, and informative talks. We'll cover the difference between the GDPR and the Data Protection Bill, and provide you with a framework to get started on your compliance. Read more and sign up here.

Emner: GDPR, compliance

Good enough IT risk management

The Neupart blog offers advice and knowledge of effective information security management, security strategies, risk management, compliance with information security standards and other requirements, business continuity planning, ISO2700x, EU Data Protection Regulation, PCI DSS, etc.

Popular Posts