I think you are wise to use the SANS 20 controls. I have only used them once, which was last year working on a cyber-security contract for a global organisation and was impressed by them.
However, one of the key issues will be, a la Article 40, whether Codes of Conduct emerge that specify preferred standards to be used. My expectation is that any Codes of Conduct will not be that specific, and generally will just suggest best practice which SANS 20 certainly is. The Article 42 requirements probably take us to certification in 27001 and BS 10012:2017, but both the standards you are suggesting would be wholly compatible.
All of an EU data subject’s rights present problems, but I agree what does it take to facilitate the right to be forgotten?? Frankly I think of this as a nightmare, and I agree it cannot be achieved without a well-considered technical approach. Imagine the number of times a full name appears on an Agenda or the Minutes of each meeting, and the number of copies that probably exist in most organisations. Redacting all of those would be a challenge, and it’s worth considering that, in all probability, a technical solution will be required to manager paper based data.
I will drop you a line
What a very interesting, and potentially very valuable thread.
Having recently embarked on the journey towards GDPR compliance for my organisation, I am daunted at what may be involved. Despite having many different layers of security technologies, the only security framework we adhere to is PCI-DSS, so I think this will have to be improved. ISO27001:2013 is my preferred option, but with such limited time left to become compliant ahead of the May deadline, I am thinking this may have to come towards the end of the project lifecycle.
The data audit is the biggest challenge I have right now though. How can I be sure that all the information we hold is captured ? I have to rely on people to complete the data audit information to provide me with the type of information we hold, where it is stored and who we share it with. But I am not 100% comfortable with that approach, as I want to be 100% certain that I capture all the relevant information.
Do others have a recommendation as to how best to capture this info ? Are there decent automation tools out there that can be recommended, or do I simply have to rely on the results of the audit ?
Your approach sounds sound to me.
Extending PCI DSS compliance to all of your data, rather than just credit card data, should provide you with a sound system for control, especially useful when it comes to facilitating a data subject’s right to be forgotten.
ISO 27001:2013 should provide you with a flexible vehicle to not just provide improvements to information security, but also the required documentation to provide proof. I say this having taken five organisations from a blank sheet of paper to ISO 27001 certification on five occasions.
That said, why don’t you also consider aligning your project with BS 10012:2017? It is the British standard for data protection, and is structured as an Annex SL standard which means that sections 4 – 7, and 9 – 10 are identical to the work you will be doing for ISO 27001:2013 compliance.
Additionally you might think of appointing an external auditor to audit your ISMS and PIMS. This will not only provide proof of excellence to your own organisation but also proof to the Office of the Information Commissioner, which might be useful one day to deflect them from investigating you, should a data breach occur. As a further benefit, people don’t normally want to engage in data protection projects, which is the digital equivalent of Health & Safety, with the associated yawn factor. This especially true of Sales and Marketing departments, who have all the CRM data. However, if you are being audited, in my experience, no one wants to be the person that lost their organisation certification, and also many people are goal orientated, and wining certification can become a big goal. If you do consider this, the best people I know at Certification Europe.
Thanks for the reply John - it is really appreciated.
I will certainly look at BS 10012:2017 - that sounds like another valuable standard to be aware of.
Right now though, the biggest hurdle I want to overcome is this data audit. Only when I know that we have comprehensively identified what type of PII we hold for EU residents, where we are storing it, and who we are sharing it with, will I feel comfortable in addressing any GDPR compliance gaps we will have.
And I do agree about the yawn factor - when I have been going through the data audit process with the senior execs, I got the feeling that they weren't quite grasping it. We will see once the audit deadline expires in a week or so, but I was just casting the net to see if there any recommended, automated tools out there that could help in trawling through our data to maybe pick up on the type of information we are concerned about.
For example, there is the eDiscovery tool within Office 365 that could work, but as far as I can make out, this will only cover mailboxes, SharePoint, etc. I was wondering if there was an equivalent option for a file server.
You may try using data mapping tools when going through with senior execs. They can relate better with icons and symbols. eDiscovery tools work fine with techies like us.
When you are looking at comprehensively identifying data, you will likely need a robust data governance program before addressing GDPR requirements. Not only we require to look at data while taking a snapshot, but also on a progressive basis. We all are aware that data changes over time, especially we in the era of IoT and big data. ISO 27k and PCI DSS are limited in their perspective as their primary focus is Security.
Not forgetting GDPR requires us to address both electronic and paper records, eDiscovery tool is ideal when we need the in-depth review on electronic copies with automation. Once we establish data management/governance framework, it helps in facilitating the data needs while supporting Privacy or Security in a sustainable manner.