How to ensure your firm is GDPR compliant? Start with existing standards

Expert panel advises IT leaders to utilise existing standards such as ISO 270001, then examine guidance from the supervising authorities once released

With the EU's General Data Protection Regulation (GDPR) due to come into force in May 2018, and with guidance on how to comply still thin on the ground, some experts are advising firms to start with existing standards so they have a head start once the remaining compliance details are known.

Speaking at Computing's recent event ‘Getting ready for the GDPR', Neil Thacker, deputy CISO at Forcepoint says his firm focused on the ISO standards.

"If you're storing huge quantities of data, and most organisations doing that are moving their storage to the cloud, you have a requirement to do your due diligence on your suppliers," said Thacker. "We focused on the ISO standards, as they're internationally recognised. There are no specifics around the GDPR [written into the standards], but we are a processor of PI [personally identifiable] data, so we are ISO 27018 certified. And we recently achieved Cloud Security Alliance gold star standard having been assessed. None of these are requirements [under GDPR] but they show how mature we are as an organisation," he added.

University College London demands ISO 270001 certification from its cloud partners, according to Bridget Kenyon, head of security at the organisation.

"We ask for ISO 27001," said Kenyon. "One gotcha is bodies will say they can certify you but they're not actually authorised by UK to provide that. Also, you have to keep an eye on what scope is [of the certification]. BT's first press release [on the subject] said they're ISO certified, but it was only one tiny bit of a call centre [which was certified], not the entire organisation. ISO27001 draws a line around something and says just that bit's certified, so watch out for that. It also shows what security measures organisations have chosen to apply, so it's very useful," she said.

Experts at the event also discussed the issue of how long emails should be kept before being deleted, given that many firms will hold sensitive data in their email databases.

The GDPR will require many firms to recruit a Data Protection Officer, however a lawyer at the event advised firms that this role shouldn't default to the in-house lawyer, as it requires a broad range of skills, not just legal understanding.