The General Data Protection Regulation (GDPR) makes reference to approved certification mechanisms as a method of ensuring the security of data. This can be reflected across to Data Processors as well as Data Controllers.
Whilst the GDPR is not specific as to what these certified mechanisms are, it is a fair assumption to make that any current and recognised standard which provides a measurable improvement model around data management, will likely suffice.
The GDPR sets out a new approach to continuous compliance with Data Protection law. Focused on ensuring that Data Controllers, and their third parties, are continuously driving best practice in data management, to mitigate the likelihood of data breaches, there will now become a driving need for organisations to embed measurable change management to ensure this.
Many enterprises are currently highly familiar with utilising standards to implement best practice, but for most SMEs, this will be new territory.
From a data management perspective, there are two core objectives which should be considered when deciding on implementation of standards. The first is IT security, and the second is quality. By ensuring the first, you are putting in place strong controls around how data is processed, and by implementing the second, you are providing a framework for repeatability of assured processes.
All of this leads to reduced risk of data breaches, in particular if you can embed strong security with quality of delivery.
So, what is the best way to do this? Firstly there are many international standards which one can choose when pursuing security and quality, but from my personal experience ISO 27001:2013 and ISO 9001:2015 are amongst the best out there. The former covers all the bases with regards to security, whilst the latter is the benchmark for assured quality programs. Also, they both compliment each other, which is always useful if you are implementing them at the same time.
However, implementing these standards is not for the meek. ISO 27001 can easily take over 12 months to complete from end to end, whilst ISO 9001 can be from 3-6 months. Be prepared for significant business impact on existing processes and to begin embedding a step change in employee behaviour and practices. Also, ISO 27001 can extend significant obligations and limitations out to third parties, or other parts of the business, where there may be data over-lap, which may be commercially challenging.
Nonetheless, the benefits are clear. Being able to provide clear and demonstrable evidence of controls around security and quality should go a long way in reducing the risk of breaches, or fines in the event any get past the net.
In future articles I will talk in more depth about my experiences implementing programs of work using these standards, and for completeness I will also talk about other international standards, including our own experience here in Sytorus/PrivacyEngine, in building a Capability Maturity Framework for Data Protection with a leading university here in Ireland, called DP-Checkpoint.