Organizations have until 25 May 2018 to comply with the EU General Data Protection Regulation.
Many organizations are currently putting a lot of effort in order to become GDPR-compliant. For good reasons, because time is running out. However, these GDPR- initiatives pose some significant challenges. First of all, GDPR-projects are often costly and require a lot of internal and external resources. Second, timelines are challenging. Third, GDPR is often perceived as a Legal or Compliance responsibility. Fourth, the confidence level of having identified all risks is often limited. At last, GDPR-compliance initiatives are often focused on the May 2018 deadline and are not sufficiently futureproof. But, you don’t need to start from scratch…
Did you already have a good look at what you already have?
A lot of organizations have an Information Security Management System (ISMS) in place which is closely aligned with (parts of) ISO27001. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organization is actively managing its data security in line with international best practice.
ISO27001 is a certifiable international best practice to protect an organization’s information by implementing controls which encompass people, processes, and technology. An ISO27001 certified ISMS is supported by top leadership and is part of the organization’s culture and strategy. It uses a risk-based approach which is constantly monitored, updated, and reviewed. By continually identifying and reducing risks, your organization will be able to ensure that information will be adequately protected in changing circumstances.
So why don’t you leverage your ISMS in order to become GDPR-compliant? You will probably find out you already have quite some controls in place that protect personal data. And instead of implementing controls indiscriminately to reduce your data breach risks, you will implement effective and adequate security measures, based on the outcomes of a formal risk assessment which is part of your ISMS. And as a bonus, it will save you a lot of time and money, and future GDPR-compliance will be automatically incorporated in your existing ISMS.
Become GDPR-compliant in six steps
- Step 1: Identify where your personal data resides and where and how it is processed
- Step 2: Identify the risks which could cause a breach of your personal data
- Step 3: Mitigate the identified risks: apply appropriate measures and controls
- Step 4: Implement policies and procedures to support the controls
- Step 5: Test and audit effectiveness of controls on a regular basis
- Step 6: Review risks, report and update plans on a regular basis as part of your ISMS
It is RGP’s experience leveraging your ISMS takes less effort and leads to a higher success rate of GDPR-compliance initiatives. It will substantially increase the level of confidence of having covered all risks and makes sure GDPR-compliance is part of your organization’s management framework.