Posted on Dec 21, 2017
Hi. My name is Fouad Khalil. I’m the compliance guy at Security Scorecard. Just last week, I attended Black Hat Europe, and it was in London. I had the pleasure of engaging a lot of other security professionals, compliance practitioners, and the like, and we had great conversations about cybersecurity as well as the latest privacy tidal wave called General Data Protection Regulation.
Of the things I’d like to mention about those conversations, one is there were a few that were not even aware of that tidal wave hitting their organizations come May 25, 2018. There were some that heard about it brewing but were not sure what action has been taken internally to get ready or prepare for the compliance deadline. There were some that actually did make some progress, but they had major concerns in terms of budgets and resources available to get them ready for GDPR compliance.
All I can say is, as with any major regulation changes, there are core items that could be easily met by simply applying best practices to your environment.
GDPR is all about privacy, so if you’ve adopted any aspects of ISO27k, if you’ve looked at SSAE 16 certifications, if you have looked at PCI compliance, I can guarantee you that you’re already a third of the way there. New items were added. There were some stringent requirements added. The protected data definition now includes online identifiers like an IP address or cookie information.
There are a lot of things that we need to tackle, but as long as you get a head start, as long as you assign the role of a data protection officer who would own GDPR compliance and make sure that it’s well organized and everybody’s aware of that, as long as you know where your data is and you’re conducting the risk assessments appropriately to make sure that it’s protected throughout the life cycle of data, I think you’ll be in good shape.
Just remember: as an auditor myself, even if you don’t have a control in place but you show that you’ve made enough progress and you’re working towards implementing your effective control, that could satisfy auditors when they come knocking.
But when they come knocking and you don’t have things in place or you were aware of things that should have been done that have never been taken care of, you might be at a different position at that point.
Get ready. Do not delay compliance. Start digging into the data.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.