EU GDPR – a data privacy culture

EU GDPR hails a new era of data protection where tick-box compliance is replaced by understanding and accountability.

Back in January Elizabeth Denham, the UK Information Commissioner, delivered a speech on GDPR and accountability to the Institute of Chartered Accountants.

The message was clear,

“The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation.”

Elizabeth Denham, UK Information Commissioner

The GDPR regulation replaces the current Data Protection Act in only 10 months time. It focuses on you as a data controller of Personally Identifiable Information (PII) related to customers, sales prospects, and personnel. It also focuses on you as data processor of others valuable data.

The enormity of GDPR and its implications for business of all sizes is just beginning to hit home for many.

But why is that?

Because you can’t have data privacy without data protection and you can’t have data protection without information security. Deeper than that, the GDPR requirements span processes, people and technology, cutting across the entire organisation and requiring a cultural sea change, or indeed ‘C’-change, for many.

See how simple it is with

But where to start with GDPR?

Whilst Denham refers to frameworks, mitigating risks and creating cultures, there is currently no recognised GDPR ‘framework’ to follow or indeed a certification that can demonstrate to regulators and customers that you are compliant.

The benefit of following a framework is the proven structure has already been defined saving an enormous amount of time. And, with time running out, why build a framework when there is already something that will get you a significant way there?

Some quote NIST Cyber Security and Cyber Essentials as useful approaches. Unfortunately, they are not in themselves adequate for meeting regulatory requirements around information security for GDPR.

ISO 27001 and GDPR

However, ISO 27001 does satisfy many of the GDPR requirements and is an over-arching Information Security Management System (ISMS) governance framework. It’s also the internationally recognised best practice ISMS framework, the only one to cover process, peopleand technology in the mitigation of risks surrounding all valuable information assets, for example IP and financials, and not just PII.

In using ISO 27001 you can turn your GDPR challenge into an opportunity.

Taking your organisation from purely meeting the regulatory requirements to demonstrating an externally accredited ISMS requires just a little more effort. However, it will deliver greater organisational benefits in terms of new business opportunities, strengthened data privacy and information security throughout your own organisation and that of your supply chain and, ultimately, reduced risks.

Are you ready to demonstrate GDPR compliance? The good news is there’s still time!

By May 2018 organisations must be able to demonstrate compliance with GDPR or risk not only costly breaches, but regulatory investigations and a far more punitive application of fines. The UK Information Commissioners Office, is helping organisations prepare for GDPR with a set of simple self-assessment toolkits to gauge readiness for GDPR in terms of data protection, information security and management of records.

Regulators will be looking to see that you have understood and managed the data risks, have documented procedures in place, and have full staff awareness and engagement in data privacy. Using you can accelerate your GDPR preparation to meet the pending deadlines.

With you can:

And, if you are ready to take a further few steps, you can build an ISO 27001 aligned ISMS and achieve external certification to easily demonstrate trust in you and your supply chain.