International Standards provide toolkit for GDPR compliance

Organizations all over the world are being forced to comply with sweeping new EU data protection rules

By Michael A. Mullane

When the European Union’s General Data Protection Regulation (GDPR) comes into force, on 25 May, it will have a humongous impact on web properties all over the world. It will affect all organizations, wherever they keep their servers, if they provide EU citizens with any kind of information, content or service online.  

GDPR infographic What is personal data? (Photo: ec.europa.eu)

The owners of web properties will need explicit permission from their users to continue collecting, storing, analyzing, or sharing personal information, as they do now, with analytics companies, advertising partners, marketing groups and numerous other third-party entities. It will likely transform the way data is treated everywhere as businesses will want to avoid the additional costs of managing different data regimes. 

The GDPR will impose severe restrictions on the transfer of data outside the EU, both to other countries and international organizations. Full compliance will be a mandatory legal requirement to avoid severe sanctions, including fines of up to EUR 20 million – or 4% of global turnover, if the amount is higher. 

Organizations across the world are racing against the clock to respect individual rights, increase data protection and to guarantee privacy on their websites. International Standards are providing a toolkit of tried and tested technologies to achieve compliance. 

The challenge

The GDPR covers a broad range of personal data, including online identifiers such as IP addresses and cookies, as well as credit card and health information at the other end of the scale. It will transform the way that organizations collect personal data, how they store it and how they use it.

In order to comply with an individual’s “right to be forgotten”, for example, organizations will have to be able to delete personal data whenever requested. The GDPR also enshrines the right to "data portability": the idea that citizens should be able to transfer personal data easily between different service providers. 

The GDPR will ensure that personal data is kept only with a client’s explicit consent, used only for the purpose for which it was obtained and stored no longer than necessary. Not only will permission to use data have to be clear and concise, but also users will be able to revoke it at any time. 

Organizations will have to follow strict guidelines to ensure that data is always accurate and processed in a fair and consistent manner. If there are any security breaches, organizations will have to inform the relevant supervisory authorities within 72 hours.

As 25 May draws closer, developers are rebuilding websites to ensure there is no automatic collection of data whenever visitors land on a page. They are tweaking all kinds of software to guarantee privacy by design and default, but many online service providers remain concerned about compliance as the official guidelines are complex and sometimes difficult to relate to real world situations.

Keeping up to standards

International Standards provide a robust and reliable framework, based on best practices identified by the leading industry and technology experts around the world, for gathering, storing and processing sensitive data in the context of different regulatory requirements. The Standards produced by experts working in Subcommittee (SC) 27: IT Security techniques, of ISO/IEC JTC 1, the Joint Technical Committee on information technology set up by the IEC and ISO, provide not only a complete toolkit and methodology for data security management, but also demonstrate best practices from the real world.

The best practices reflected encompass the fields of data security, information exchange, storage protection and processing. The ISO/IEC 27000 family of Standards on security techniques for information technology provides a powerful framework for enabling organizations to benchmark against best practices in the implementation, maintenance and continual improvements of controls.

In this context, ISO/IEC 27001, Information technology  Security techniques  Information security management systems  Requirements, is a significant standard in the ISO/IEC 27000 family. According to the international data protection experts, IT Governance, “a company that has implemented ISO/IEC 27001 has already done at least half the job of achieving GDPR compliance by minimizing the risk of a breach”.

ISO/IEC 27001 identifies potential risks to client and stakeholder data and ensures that organizations implement the relevant controls to mitigate them. It takes in encryption, ongoing testing and risk assessment and the ability to restore access to personal data quickly in the event of an incident.

Currently under development, ISO/IEC CD 27552 will soon deliver an enhancement to ISO/IEC 27001 for privacy management requirements. It covers processes for protecting the capture, accountability, availability, integrity and confidentiality of data.

ISO/IEC 19592-1 and ISO/IEC 19592-2, Information technology  Security techniques  Secret sharing, define best practices in the cryptographic techniques used to protect the confidentiality of messages (“secret sharing”) in terms of general requirements and fundamental mechanisms. These techniques can be used to store sensitive data securely in distributed systems. 

ISO/IEC 29100, Information technology  Security techniques  Privacy framework, describes a framework for the protection of personally identifiable information (PII) within information and communication technology (ICT) ISO/IEC 27018 enables organizations to manage security issues related to PII on public clouds.

ISO/IEC 29101, Information technology  Security techniques  Privacy architecture framework, identifies a framework and associated controls for the safeguarding of privacy in ICT systems that store and process PII. 

With a focus on learning, education and training, ISO/IEC 29187-1, Information technology  Identification of privacy protection requirements pertaining to learning, education and training, takes into account the public policy requirements that control the creation, use and interchange of personal data, as well as information life cycle management. These include, but are not limited to, regulations for consumer protection, privacy and individual accessibility.

Conformity assessment

Because not all risks are technology-based, it is essential that the technical staff responsible for data management have the required training, knowledge and skills. The work of the Committee on Conformity Assessment (CASCO) - a joint effort by IEC and ISO - is vital to the process of determining whether an organization meets the requirements related to its technical competence in this area.

ISO/IEC 17024 sets out the general requirements for personnel certification, while ISO/IEC 17065 covers the requirements for certifying products, processes and services.

Adherence to the relevant International Standards ensures the effective implementation of best practices to protect personal data and to mitigate risks. Organizations can use them to build a new digital relationship with their customers, which is a cornerstone of the GDPR requirements.

International Standards can play an important role in helping to protect brand reputations and to minimize adverse publicity by giving clients confidence in the reliability of the systems to which they have entrusted their data. Against a backdrop of sweeping regulatory change, they provide the tools for implementing robust data security management systems that deal with sensitive information efficiently and effectively.

Gallery
Data protection new EU regulation GDPR will likely transform the way data is treated everywhere
GDPR infographic What is personal data? (Photo: ec.europa.eu)
Server rooms store much data Web property owners will need explicit permission from their users to continue collecting, storing, analyzing, or sharing personal information
Flying the flag for data protection in Europe and around the world, the GDPR will have a global impact (photo: GregMontani, Pixabay) Flying the flag for data protection in Europe and around the world, the GDPR will have a global impact