Printed from: SecurityGate

Print Page

Banner Image


Education (2)
General (2)
4In The News
In The News (1)
3Press Release
Press Release (2)
Regulation (4)
5Thought Leadership
Thought Leadership (2)


November 2018 (3)
August 2018 (2)
July 2018 (1)
May 2018 (1)
April 2018 (1)
March 2018 (3)
February 2018 (1)
GDPR and its Lack of Precise Standards
Posted by: Poster Avatar Brent Gage   |    05/21/2018 08:00 AM    |    Categorized under:  Regulation


If you're tasked with marketing, cyber security, legal compliance or IT; and you do business in the EU (or are planning to do so), then you need to think about GDPR. 

Pragmatically stating, there is currently no definitive or complete checklist for GDPR compliance available today.  To create an accurate compliance checklist for GDPR requires that GDPR violations have been comprehensively defined.  But, when SecurityGate took a deeper look at GDPR for our clients, we realized a surprising truth: there are no precise standards.  

In comparison, the National Institute of Standards and Technology defined and published the NIST.SP 800-171 (see my recent blog post on this subject - link) well before the implementation deadline, which contained very clear explanations of controls and guidelines for implementation. Unfortunately, The EU Article 29 Data Protection Working Party, which will become the European Data Protection Board on May 25, 2018, does not duplicate this level of effort. The EDPB will be responsible, not only for providing guidelines for GDPR compliance but also for enforcing the penalties incurred from non-compliance. 

In my opinion, an example of the ambiguity in the GDPR compliance standards follows:

Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered. The GDPR does not define what constitutes largescale processing, though recital 91 provides some guidance.14  Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations. 

We recognize that many businesses don’t have the resources necessary to properly formulate a plan.  So how is a company supposed to be ready for GDPR?  In my opinion, there are basically three options, all of which have pros and cons.





1.      Wait for case law to establish precise implementation standards


No waste of time or money

You could be fined.

A late start could cost you a competitive advantage

2.      Implement only the minimal standards

Highly unlikely to waste time or money 

Easy transition when framework is available

You could be fined
(but unlikely)

3.      Implement every possible control to a maximal standard

Highly unlikely to be fined

Easy transition when framework is available

Highly likely to waste time and money

Which option is right for your company?  It really boils down to Personal Data Protection. So, no matter which scenario you fall under, you need to conduct a security risk assessment focused on the protection of personal data.

We can help.  The SecurityGate Platform accelerates security risk assessments by automating the assessment and remediation process when evaluating your company’s adherence to compliance standards like GDPR.  SecurityGate Platform assessments are 10X faster than the standard method of manual auditing. Our proprietary risk-ranking roadmap can tell companies where they’re falling short on cyber security controls, and what steps are needed to improve.  If more guidance is needed deciding which option to take, our cyber security consultative support professionals are always available to walk our subscribers through the process. 

Author Image


Brent Gage


Featured Image

Next Post

What You Need To Know About Cyber Security Ratings

All Content Rights Reserved , SecurityGate
Captavi - SaaS CMS Platform ©