Here’s the big question: Is the General Data Protection Regulation (GDPR) a revolutionary regulation that introduces new concepts of security and privacy? The answer — yes and no. The GDPR does introduce new requirements that are specific to the European Union, but it does so while encapsulating them in a somewhat familiar structure. Although some of the requirements get into specifics with data subjects or specific processes, a number of them have an underlying security and privacy framework that can easily be distinguished.
In this post, we are going to explore key overlaps and differences of GDPR compared to other frameworks, including ISO/IEC 27000, NIST, and PCI, and then look at ways organizations can begin to bridge the gaps to achieve alignment with GDPR.
How the GDPR overlaps, and does not overlap, with existing frameworks
The GDPR incorporates requirements into the regulation that should be familiar to most organizations, such as impact assessments, risk assessments, appropriate technical and organizational controls, etc. Most of these are the common building blocks for any security program, and these concepts can be identified in ISO/IEC 27000, NIST, and PCI frameworks, as well as numerous others. The idea of performing risk or impact assessments on a periodic basis and keeping those up to date is nothing new, and the idea of implementing mitigating controls, based on the risks identified in those impact/risk assessments and deemed appropriate by the organization, has been around for years. Within GDPR, these older concepts have been repackaged. As such, organizations with these practices already in place will see some overlap in their current method and the GDPR, as well as similarities in the frameworks and standards utilized by the organization to implement those practices.
Exactly how much overlap is there?
Although some of the impact assessments, risk assessments, and technical and organizational controls may be leveraged by the organization in order to meet GDPR, there will still be a new, large gap to close in order to become compliant. Most organizations hope or expect that the procedures or controls they have in place to meet the ISO/IEC 27001, NIST 800-53, etc. frameworks will also comply with most of the considerations under the GDPR. Unfortunately, this may not be the case for the majority of organizations. Why? Because these frameworks do not incorporate a key concept found in the GDPR — one that originated in Ontario, Canada, but has since been making its way around the globe — the concept of Privacy by Design.
Read More: threatstack.com