Update: GDPR and its Lack of Precise Standards

Update: GDPR and its Lack of Precise Standards

Numerous cases under the GDPR standards are now in process or have already resulted in fines being levied:

Norway: Google was ordered to remove all personal data, including all connected links, related to a convicted murder in Finland under both GDPR and the countries own personal privacy protection laws. (Which have since been amended to align with GDPR.)

France: Google was fined €50 million for violating GDPR regarding ad targeting and transparency requirements on the Android mobile operating system.

Austria: Eight streaming media services have had complaints filed against them under GDPR (case is still pending)

We are finally beginning to get a read on the proper implementation of GDPR. I expect that within the next year there will be dozens more. For more on GDPR compliance, contact info@securitygate.io

If you’re tasked with marketing, cybersecurity, legal compliance or IT; and you do business in the EU (or are planning to do so), then you need to think about GDPR.

Pragmatically stating, there is currently no definitive or complete checklist for GDPR compliance available today. To create an accurate compliance checklist for GDPR requires that GDPR violations have been comprehensively defined. But, when SecurityGate took a deeper look at GDPR for our clients, we realized a surprising truth: there are no precise standards.

In comparison, the National Institute of Standards and Technology defined and published the NIST.SP 800-171 (see my recent blog post on this subject – link) well before the implementation deadline, which contained very clear explanations of controls and guidelines for implementation. Unfortunately, The EU Article 29 Data Protection Working Party, which will become the European Data Protection Board on May 25, 2018, does not duplicate this level of effort. The EDPB will be responsible, not only for providing guidelines for GDPR compliance but also for enforcing the penalties incurred from non-compliance.

In my opinion, an example of the ambiguity in the GDPR compliance standards follows:

Article 37(1)(b) and (c) requires that the processing of personal data be carried out on a large scale in order for the designation of a DPO to be triggered. The GDPR does not define what constitutes largescale processing, though recital 91 provides some guidance.14  Indeed, it is not possible to give a precise number either with regard to the amount of data processed or the number of individuals concerned, which would be applicable in all situations.

We recognize that many businesses don’t have the resources necessary to properly formulate a plan.  So how is a company supposed to be ready for GDPR?  In my opinion, there are basically three options, all of which have pros and cons.

Option 1: Wait for case law to establish precise implementation standards

  • Pros: No waste of time or money
  • Cons: You could be fined, and alate start could cost you a competitive advantage

Option 2: Implement only the minimal standards

  • Pros: Highly unlikely to waste time or money, and easy transition when framework is available
  • Cons: You could be fined (but unlikely)

Option 3: Implement every possible control to a maximal standard

  • Pros: Highly unlikely to be fined, and easy transition when framework is available
  • Cons: Highly likely to waste time and money

Which option is right for your company? It really boils down to Personal Data Protection. So, no matter which scenario you fall under, you need to conduct a security risk assessment focused on the protection of personal data.

We can help. The SecurityGate Platform accelerates security risk assessments by automating the assessment and remediation process when evaluating your company’s adherence to compliance standards like GDPR. SecurityGate Platform assessments are 10X faster than the standard method of manual auditing. Our proprietary risk-ranking roadmap can tell companies where they’re falling short on cybersecurity controls, and what steps are needed to improve. If more guidance is needed deciding which option to take, our cybersecurity consultative support professionals are always available to walk our subscribers through the process.