The GDPR covers a broad range of personal data, including online identifiers such as IP addresses and cookies, and at the other end of the scale, credit card and health information. It affects the way that organizations collect personal data, how they store it and how they use it. Full compliance is a mandatory legal requirement to avoid severe sanctions, including fines of up to EUR 20 million — or 4% of global turnover, if the amount is higher.
In order to comply with an individual’s “right to be forgotten”, for example, organizations must be able to delete personal data whenever requested, wherever it resides. The GDPR also enshrines the right to "data portability": the idea that citizens should be able to transfer personal data easily between different service providers. The GDPR ensures that personal data is kept only with a client’s explicit consent, used only for the purpose for which it was obtained and stored no longer than absolutely necessary. Not only does permission to use data have to be clear and concise, but also users are able to revoke it at any time. Organizations must follow strict guidelines to ensure that data is always accurate and processed in a fair and consistent manner. If there are any security breaches, organizations are bound to inform the relevant supervisory authorities in their countries within 72 hours.
Different kinds of legal risk
Regulatory compliance is not the only challenge. Litigation poses a serious threat to organizations, especially in cases where customers, employees or business partners suffer actual financial losses — for example, in the case of criminals taking advantage of poor security to steal credit card information. The phrase ‘actual financial losses’ can also refer to a drop in a company’s share price. This was the case, for example, when Yahoo shareholders brought a class action lawsuit after the company’s market value dropped as a result of criminals taking advantage of poor security to steal sensitive data. Yahoo settled for USD 80 million in early 2018.
It is essential, in terms of mitigating the risk of fines or litigation, that organizations are able to demonstrate that their services are safe and that they are taking reasonable care to protect the data of their customers and business partners. In the event of a data breach due to inadequate protection measures, some legal systems view unkept promises made to customers about safeguarding their data as tantamount to engaging in unfair and deceptive practices. In 2017, the US health insurance company Anthem settled a class action lawsuit for USD 115 million over a breach that had compromised the personal information of nearly 79 million people.
It is important to seek out good advice, not least because not knowing the law has never worked as a defence for failing to comply. Fortunately, international standards, which are based on global best practices identified by the consensus of the world’s leading experts, provide invaluable help and support. There are more than 40 standards that comprise the ISO/IEC 27000 family of information security management standards. This family provides requirements and supporting guidance for establishing, implementing, maintaining and the continual improvement of an information security management system. These can be used to provide guidance and support to an organization to address the information security and privacy protection requirements of GDPR to help them achieve compliance, for example.
Here are eight things organizations can do to help satisfy the most stringent legal regulations with the help of IEC and ISO standards.
1. Establish an information management security system (ISMS)
The ISMS requirements described in the ISO/IEC 27001 defines a cyber risk management-based approach to managing people, processes, services and technology. Using ISO/IEC 27001, helps organizations to manage their information security risks, including threats, vulnerabilities and impacts, as well as designing controls to protect the confidentiality, integrity and availability of data and for regulating access to critical information systems and networks. It emphasizes the importance of the ISO/IEC 27001 risk management process taking account of legal, regulatory and contractual requirements. (See point 8)
2. Commission an independent audit
In terms of mitigating cyber risk, the first step every organization should take is to implement the ISMS standard ISO/IEC 27001 and then commission an independent ISMS certification audit to ensure compliance with the requirements of ISO/IEC 27001. An ISMS certification will help organizations demonstrate their cyber-risk approach has considered local and international laws and regulations. ISO/IEC 27001. ISO/IEC 27014, which offers support on the governance of information security, recommends such an approach. Other standards in the family that support the implementation of ISO/IEC 27001 include: ISO/IEC 27005, which provides guidance on information risk management; and ISO/IEC 27004, which suggests metrics for evaluating the effectiveness and performance of information security systems.
The aim of an ISMS certification audit is to verify that the organization has considered and assessed the cyber-risks it faces and that they have implemented an effective and appropriate set of controls to mitigate these risks, this includes both information security and privacy protection controls. This certification audit should verify that the organization has taken account of all business, contractual, legal and regulatory requirements (e.g. GDPR) in its risk assessment. ISO/IEC 27014 provides guidance on establishing an information security governance framework to ensure that the organization is properly addressing is internal governance requirements in compliance with external rules and regulations.
3. Keep an accurate data inventory
It is impossible to manage risk effectively or to comply with regulations about access and portability, without the implementation of an effective set of controls. For example, an organization should have an accurate inventory of data and network assets. ISO/IEC 27002 is a code of practice which is a collection of such information security controls with guidelines for implementing these controls, for example, for identifying information assets, defining appropriate protection responsibilities and maintaining an inventory that is up-to-date, consistent and aligned with an organization’s other inventories. ISO/IEC 27002 is a baseline control set supporting ISO/IEC 27001 and the mitigation of cyber risk.
4. Implement a Privacy Information Management System (PIMS)
ISO/IEC 27701 is an extension to ISO/IEC 27001 that provides a comprehensive set of operational controls for implementing, maintaining and continually improving a PIMS, including privacy processing controls. Implementing ISO/IEC 27701 and ISO/IEC 27001 helps to meet the EU GDPR’s requirement for “appropriate technical and organizational measures”. It maps its recommendations to the GDPR (Annex D).
5. Facilitate portability and implement a data minimization process
The GDPR gives individuals the right to access their data and find out how it is being used. ISO/IEC 19941 provides support to organizations who need to enable their customers to move their data or applications between non-cloud and cloud services, as well as between cloud services. Another important requirement of the GDPR is “data minimization”, which means keeping data that can identify individuals for no longer than necessary. ISO/IEC 27018, a code of practice for protection of personally identifiable information (PII) in public clouds, contains important advice for the secure erasure of temporary files within a specified, documented period, a complementary standard is ISO/IEC 27017 which addresses the information security in the cloud. Another standard, currently under development, ISO/IEC 27555 will provide guidelines on establishing a PII deletion concept in organizations.
6. Implement an incident response plan
An incident response plan is important in terms of mitigating the risk of litigation. It also helps to ensure that the breach notification requirements of the GDPR (72 hours) and of any other relevant laws or regulations are respected. The two-part ISO/IEC 27035 presents principles of incident management and a complete guide to planning and preparing for incident response.
7. Don’t forget supplier relationships in your security strategy
It is vital that an organization’s legal risk mitigation strategy takes into account third-party relationships, which take the security practices of the vendor into their own risk profiles. This was the case, for example, with the US retail giant, Target, after hackers used the network credentials of a heating, ventilation and air-conditioning company to steal personal data from tens of millions of credit and debit cards. Target has paid USD 18.5 million to settle multi-state claims, as well as another settlement of USD 10 million following a class action lawsuit in addition to compensation of up to USD 10,000 to customers who have suffered directly from the data breach. The four-part standard ISO/IEC 27036 provides guidance on supplier relationships, including supply chain and cloud service security.
8. Take out cyber-insurance
Organizations are strongly advised to have adequate cyber-insurance in place to cover any operational or legal costs, including possible fines, related to serious breaches. ISO/IEC 27102 provides guidelines on cyber-insurance to cover potential financial losses. The standard looks at the kind of losses covered and what measures need to be on place to satisfy the insurance providers. ISO/IEC 27102 notes that an ISMS “can provide the insured and insurer with data, information and documentation that can be used in cyber-insurance policy inception, cyber-insurance policy renewal and throughout the lifetime of that cyber-insurance policy”.