A new set of standards along with recognised accreditation will be necessary if the new General Data Protection Regulations are to be implemented effectively, The Bunker states. The non-prescriptive nature of the new regulations means that clear standards will be required to bring clarity to the market and help both cloud providers and end-users undertake due-diligence effectively.
The GDPR was formally passed on 14 April this year, as part of the European Commission’s Digital Single Market Strategy. It is designed to better protect citizen’s data and harmonise legislation across the European Union (EU). The GDPR brings an array of new guidelines for organisations in relation to Personally Identifiable Information (PII) and it stipulates the Auditable Assurance that all companies will need to demonstrate when controlling or processing PII.
Businesses operating within the EU have until 2018 to implement the required changes. However, a standard is yet to be put in place that specifies if what organisations have enforced can be deemed as appropriate Technical and Organisational Measures (TOMs), to comply with the terms of the GDPR when scrutinised in a court of law.
According to Phil Bindley, CTO of The Bunker: “The wording of the regulation indicates that at some point in the future someone will create a standard that helps organisations understand the requirement in the context of TOMs. It would be ideal if this defines what needs to be done to demonstrate compliance with the standard and provides support accreditation.
“The subsequent issue is then raised of who will actually create this standard. It can’t just be left to policy makers and lawyers. This needs insight into the ‘real world’ of information security practice. It also needs to drive a consistent set of behaviours and promote the culture that change is needed inside organisations to achieve proper security for the right reasons, not just the fear factor.
“If we allow policy makers and lawyers to dictate the terms, then as information security professionals, we have missed a once in a lifetime opportunity to evangelise the positive benefits of taking the right approach to security.
“The GDPR is certainly a defining moment in the way businesses need to think about data protection. With or without a ‘GDPR Standard’ I am confident that by applying the knowledge, expertise, processes and culture we have created over the past 12 years, The Bunker genuinely helps customers old and new to comply with the terms of the regulations. And, we are more than prepared for this,” concludes Bindley
