— by Pat Cable, Senior Infrastructure Security Engineer, Threat Stack
From time to time Threat Stack invites industry experts to share our blog space, and in today’s post, Chris Lippert, Privacy Technical Lead at Schellman & Company, LLC., takes a look at the General Data Protection Regulation (GDPR), a topic that is on everyone’s mind, whether they’re prepared for it or not.
In this post, Chris explores what’s unique about the GDPR, how it overlaps with existing frameworks including ISO/IEC 27000, NIST, and PCI, and points to how you can leverage your current controls to meet many of the security considerations for personal data under Article 32, as well as other requirements of the GDPR, such as data protection policies or vendor management.
Without further ado, here are Chris’ insights into GDPR.
Here’s the big question: Is the General Data Protection Regulation (GDPR) a revolutionary regulation that introduces new concepts of security and privacy? The answer — yes and no. The GDPR does introduce new requirements that are specific to the European Union, but it does so while encapsulating them in a somewhat familiar structure. Although some of the requirements get into specifics with data subjects or specific processes, a number of them have an underlying security and privacy framework that can easily be distinguished.
In this post, we are going to explore key overlaps and differences of GDPR compared to other frameworks, including ISO/IEC 27000, NIST, and PCI, and then look at ways organizations can begin to bridge the gaps to achieve alignment with GDPR.
How the GDPR overlaps, and does not overlap, with existing frameworks
The GDPR incorporates requirements into the regulation that should be familiar to most organizations, such as impact assessments, risk assessments, appropriate technical and organizational controls, etc. Most of these are the common building blocks for any security program, and these concepts can be identified in ISO/IEC 27000, NIST, and PCI frameworks, as well as numerous others. The idea of performing risk or impact assessments on a periodic basis and keeping those up to date is nothing new, and the idea of implementing mitigating controls, based on the risks identified in those impact/risk assessments and deemed appropriate by the organization, has been around for years. Within GDPR, these older concepts have been repackaged. As such, organizations with these practices already in place will see some overlap in their current method and the GDPR, as well as similarities in the frameworks and standards utilized by the organization to implement those practices.
Exactly how much overlap is there?
Although some of the impact assessments, risk assessments, and technical and organizational controls may be leveraged by the organization in order to meet GDPR, there will still be a new, large gap to close in order to become compliant. Most organizations hope or expect that the procedures or controls they have in place to meet the ISO/IEC 27001, NIST 800-53, etc. frameworks will also comply with most of the considerations under the GDPR. Unfortunately, this may not be the case for the majority of organizations. Why? Because these frameworks do not incorporate a key concept found in the GDPR — one that originated in Ontario, Canada, but has since been making its way around the globe — the concept of Privacy by Design.
Most of those previously identified frameworks do not establish a foundation in privacy. In fact, most policies, procedures, and controls have security at the center, since personal data was not a major consideration several years ago.
- ISO/IEC 27001 specifically addresses an information security management system.
- PCI does not include any aspect of privacy-related matters.
- While NIST 800-53 does include privacy-specific controls and matters in Appendix J of the most recent version, it is not at the forefront.
These are just a few of the most common frameworks utilized and adhered to by organizations around the world, and they either consider privacy as an add-on or not at all.
Because these frameworks do not have personal data at the center, there are aspects of the GDPR that will not be addressed by these frameworks, because the specific requirement under Article 32 of the GDPR to encompass security controls reads as follows:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”
The key consideration here is for “the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.” Addressing risks at the personal data and data subject level has not been and is not a key consideration called out under other previously existing frameworks.
As such, organizations should take another look at the risks present for personal data and ensure that organizational measures and logical and physical controls are in place to ensure that personal data is appropriately protected. For the GDPR, it is important to note that the logical and physical controls should at least address the risks specified under Article 32(2). Without focusing on these risks during an impact or risk assessment, the likelihood that all relevant risks have been considered and all appropriate technical and organizational measures have been implemented to secure the personal data collected and processed is relatively low.
Are my current controls worthless for meeting the GDPR?
Not at all! They can still be leveraged and meet many of the security considerations for personal data under Article 32, as well as some other requirements of the GDPR, such as data protection policies or vendor management. The only differences that must be newly addressed are personal data and the natural person from whom the data was collected and processed, because those were not included as an integral part of the design phase in the construction of your previous frameworks.
To illustrate some of the areas that can carry over and help meet the requirements of the GDPR, the privacy team at Schellman will be publishing a short series of blogs to highlight some GDPR topics that could leverage existing practices under the ISO/IEC 27001/2 and ISO/IEC 27018 frameworks. Again, companies should take another look at the practices identified to determine whether they encompass the risks associated with personal data, but the mapping should provide a starting point for discussions on compliance and gaps.
Stay tuned in the coming weeks for blogs on leveraging existing ISO/IEC 27001/2 and ISO/IEC 27018 controls, respectively!
In the meantime, feel free to download the following ebooks prepared by Schellman & Company for additional information and guidance on the GDPR:
About Schellman & Company, LLC.
Schellman & Company, LLC is a leading provider of attestation and compliance services. We are the only company in the world that is a CPA firm, a globally licensed PCI Qualified Security Assessor, an ISO Certification Body, HITRUST Assessor, and a FedRAMP 3PAO. We are a trusted provider to the world’s leading companies, from the Fortune 1000 and publicly traded companies, to privately held entities of all sizes. Our service delivery model allows for optimum quality and client experience for organizations of every size and complexity. We are setting the pace and blazing new trails. We are the only company in the world capable of providing our clients the rare opportunity to achieve multiple compliance objectives through a single independent assessor — using experienced teams dedicated to delivering the highest quality.