The deadline for your organization to comply with the European Union's General Data Protection Regulation (GDPR) has come and gone, but that doesn't make compliance any less important or any less complicated. Understanding where your data resides today and developing processes for providing consent, or complying with the right to be forgotten, are major initiatives that your organization will need to solve to move in the direction of compliance—and that's just the beginning. More broadly, you'll want to implement a data-centric approach to your security strategy so you can better evaluate risk and anticipate future regulations in today's developing privacy landscape. Even then, a compliant organization isn't necessarily a secure one. In fact, it often isn't, so simply aiming to satisfy minimum requirements won't always protect your organization. What might seem like an easy fix now could end up costing you more in the long run.
As you can see, all of these security questions and the surrounding uncertainty can quickly become overwhelming. Don't try to tackle everything all at once. Instead, start by considering the following five questions. They can point you in the right direction as you begin the compliance process.
- Do you understand the consent rules?
- Do you know which outsourcers have access to the data?
- Are you sure you can detect data breaches?
- Do you follow privacy by design and privacy by default principles when designing new systems?
- Where should you turn for guidance?
GDPR and ISO security standards: Where to begin?
There are so many facets to the GDPR that require your organization's understanding and compliance that it can be difficult to determine where to start. We suggest looking to the International Organization for Standardization/International Electrotechnical Commission (ISO/IEC) data security standards for information security management. These requirements can provide a helpful framework for establishing how your organization should work toward compliance. It can show you which of your security practices satisfy relevant security controls and which ones should be prioritized to address gaps in your compliance. It will also give you a better understanding of the international privacy landscape and how the different regulations fit together and sometimes overlap.
For the purpose of this blog, we will focus on how to use the latest ISO standard for information security as a template for cybersecurity best practices and, in the process, help your organization in its pursuit of GDPR compliance.
How do the ISO security standards help with GDPR compliance?
GDPR went into effect in May 2018, and ever since then, organizations have been looking for ways to demonstrate compliance and avoid the potential fines associated with the influential privacy measure. There are some intensive international data security standards—which are also best practice frameworks that you can leverage to help support your organization as it addresses not only GDPR, but wider information security and privacy requirements. Some examples include ISO/IEC 27018, an international code of practice to support with managing personally identifiable information (PII) on public clouds. It builds on the general controls described in ISO/IEC 27002 and is appropriate for any organization that processes PII.
What ISO/IEC 27018 means for PII in the cloud
ISO/IEC 27018 ensures you address security issues related to PII stored on the public cloud. By using this framework, along with a robust ISMS (Information Security Management System), you demonstrate your commitment to protecting personal records and can provide the extra reassurance clients require for cloud computing—data protection by design and default. ISO/IEC 27001 is the internationally recognized standard for an information security management system. It provides you with a great framework to address information security risks with appropriate measures and controls. It’s an ideal starting point for any organization that needs to manage and respond to information threats and build resilience.
ISO IT security standards
ISO/IEC 27001 outlines specific requirements and controls that ensure you not only respond to contractual and regulatory requirements, such as the EU's GDPR or U.S.'s California Consumer Privacy Act, but you also put the appropriate controls in place to manage risks to your organizational data, including personal records. By adopting ISO/IEC 27001 as your best practice framework, you’ll be in a good position to identify your requirements for GDPR, as well as implement appropriate controls and any additional measures required. Internationally recognized, ISO/IEC 27001 is an excellent framework that helps organizations manage and protect their data assets so that they remain safe and secure. It helps you to continually review and refine the way your organization protects PII assets—not only for today, but also for how you protect PII in the future.
ISO security standards are part of a bigger solution
Achieving an ISO/IEC 27001 certification greatly assists as credible evidence that your organization is taking the appropriate measures to comply with GDPR. However, it is just one aspect of a more comprehensive compliance strategy. It should inform and function as part of the foundation of your overall data protection process—think of it as more of a complementary compliance piece.
For a holistic approach to compliance, consider practicing data minimization and using scope-reducing security technologies, such as tokenization. Tokenization—especially cloud-based platforms—can effectively and efficiently reduce the compliance scope of an organization’s internal systems. By capturing sensitive data at the point of acceptance and tokenizing it before it enters your network environment, tokenization removes sensitive data from your systems and stores it in a cloud-based vault. This relieves your organization of the need to store sensitive information and virtually eliminates the risk of data theft.
Because tokenization replaces a sensitive value with a placeholder token, a breach of a tokenized system would not reveal sensitive data. Instead, the nonsensitive tokens would be the only things exposed—the original, sensitive information is stored in a cloud-based vault outside of your organization’s environment.
As it relates to GDPR, tokenization not only secures sensitive data, but it also devalues it. In other words, it desensitizes the data via the process of pseudonymization, which the GDPR specifically mentions as an appropriate method for de-identifying data. In fact, Recital 29 mentions incentives for organizations to apply pseudonymization, and Articles 25 and 32 specifically call out pseudonymization as an appropriate technical measure for protecting personal data.
“The processing of personal data in such a way that the data can no longer be attributed to a specific data subject without the use of additional information.”
– Pseudonymization as defined in Article 4(5) of the GDPR
Additionally, the GDPR is more lenient in its restriction of the use of personal data when that data is de-identified. Article 6(4)(e) potentially allows processors to use pseudonymized data for purposes outside the realm of why the data was collected in the first place.
Pseudonymization is an extremely useful tactic for achieving regulatory compliance, and it comes as a direct result of tokenization. This demonstrates the value of employing a data-centric security and risk-reduction strategy: It can beget compliance on its way to achieving its intended goals of security and risk reduction. In effect, by focusing on security and risk—instead of simply trying to meet the bare minimum of obligations necessary for compliance—the act of becoming compliant takes care of itself, improving an organization’s overall security practices in the process.
About the Author
Ulf Mattsson is the Head of Innovation for TokenEx, and he is the inventor of more than 55 patents in the areas of encryption, policy-driven data encryption, internal threat protection, data usage control, and intrusion prevention.