There has been talk about certification but does anyone know if there are serious plans to go down this route
I am aware that BS 10012:2017 Personal Information Management System is possibly the best option in the short term - interested in your thoughts
EU GDPR Practitioner (EU GDPR P) qualification (ISO 17024-certificated).
Attendees take the EU GDPR P exam at the end of the course – a 90-minute, multiple-choice, ISO 17024-certificated exam set by IBITGQ. There is no extra charge for this exam.
The gold standard seems to be the IAPP CIPP/E, CIPT or CIPM accreditation. I'm currently working on obtaining IAPP's CIPP/E certification. There is a good free on-line course available to get you started on the GDPR, and I've bought the book "European Data Protection, Law and Practice" edited by Eduardo Ustaran, CIPP/E (available from the IAPP website).
For the "can I get ISO27001 for GDPR compliance" certification.
There are concepts such as a European Data Protection Seal, but I doubt these will amount to much more than consumer badges of trust. You can have a google, Europrise is the most well-known one.
Hi, @Gchanner65 ..
So, you meant certification: a system to validate the compliance of an organisation with the GDPR, where I understood you meant certification: a system to validate the knowledge of a person about the GDPR
Come to think of it, it strikes me as a bit odd that we should have a certification that assures an organisation's compliance with the Law. They hardly have a choice, do they? To put it bluntly: you can't have any "uncertified" company in the EU, they ALL will have to comply with the Law, or else!
You can, of course, educate people (whom may work in organisations) and test if they understand what it means to comply with the GDPR. And of course, there are certain roles and techniques that not everybody needs to understand, e.g. what a DPO does or how to do a DPIA. So, it makes sense to certify that people that fulfil these roles or use these techniques can be trusted to do so / use them. That's what the IAPP tries to achieve, methinks.
So - why do we need a certification system for compliance with the GDPR?
I barely can see such certification. GDPR is very high level. After you study the regulation you will be able to answer to legal questions only. However, it requires implementation and that does not exist in GDPR text. Moreover, there is a lot of confusion around its implementation. The leading misconception on the market is that vendors proposing to implement "security". However, the core of GDPR is "privacy". While security controls should exist in GDPR implementation (see NIST SP800-53 or ISO 27000 or DSS) real implementation requires PRIVACY controls. That is the problem. Security vendors are not ready to do that. They can recommend say a firewall or logs' analysis but what is "Accounting of Disclosure" they have no clue about. That is one of privacy controls you can find in NIST SP800-53, see Revision 4 or Revision 5 Draft. You can also go on our site www.rubos.com to see our DeepSec 2012 presentation (in Research) or the presentation text draft (more informative). That was our response to the challenge "How to implement GDPR". We developed the framework for that. You may be interested to see how high level GDPR is converted in software application development logic. Keep in mind - we did that for GDPR draft. Current regulation may have some differences.
@mutin- interesting. I somewhat disagree with the notion that there are no implementation details (at all) in the GDPR, at least the concepts of a DPO and DPIA are given, for example. And, for example, Article 30 clearly indicates - in great detail - which data is to be kept by who (the controller). So, at least the 'what' is specified, and sometimes the 'how' is also quite clear. The GDPR refers to well known concepts in the information security world, e.g. Article 35 (d) refers to doing risk analysis, which has been one of the cornerstones of the infosec field for decades and for which we have a kazillion methodologies ( selecting one involves taking a risk in itself, methinks )
But I will check out the framework, thanks for the pointer!
BTW, sorry to have to say this @mutin, but I find your site a great example of unneccesary obfuscation of possibly usable information. You and I seem to share a character treat: we tend to use too many words to get our point across .
The slides in your presentation contain a lot of data - actually, they read as if you dumped a paper into powerpoint - and I find it hard to find the core, usable, applicable information. It seems you (or your group) did some good work, for example the comparison between various regulations / laws. The conclusion seems to underline my perception that much that is needed is already available (a core theme in all my work): [...] our analysis has shown that there is a very strong correlation between privacy controls. In fact, NIST standards supersede old HIPAA, and represent more concrete outcome of EU GDPR.
But maybe the presentation is not the best source for your work - is there a paper we can download and discuss?
ETA-1: just found it!
ETA-2: but it's still a draft, is there a finished version?
@fortean 100%. Privacy has a very strong correlation with regards to the appropriate controls for nearly all laws globally.
Is a 'Character Treat' a cornucopia of pre-conjugated irregular verbs for the delectation of those who wish to obviate the need for obfuscation by steganographic praxis misapplication of a heliocentric orbital Kepler interpretation? I think we should be told.