Discussions about the EU’s General Data Protection Regulation (GDPR) reached a crescendo on May 25, the compliance deadline, but many companies continue seeking guidance.
The reason: A majority of companies missed the deadline, according to estimates from various sources, including Gartner, Crowd Research, IDC, Spiceworks, TrustArc, and Ponemon Institute, so it’s very likely that millions are still working on GDPR compliance.
Although GDPR has been in effect for months, “it’s clear that many organizations lack such a strategy or the tools needed to effectively protect sensitive data and maintain privacy and protection,” Gartner analyst Deborah Kish said in August.
To help companies still in the process of meeting the regulation’s requirements, the IT GRC Forum recently held a webcast titled “GDPR 101: Monitoring & Maintaining Compliance After the Deadline.” The webcast’s panelists included Qualys expert Tim White, who spoke about the importance of managing vendor risk and leveraging a control framework.
White explained that IT security is a small yet key subset of GDPR. “The need to protect the privacy of the information, to prevent accidental or intentional disclosure, is a critical sub-component,” he said.
It’s also important to know that GDPR offers vague, general requirements for IT security, unlike other industry mandates and regulations that are very specific and prescriptive in this regard, said White, Qualys’ Director of Product Management for Policy Compliance.
“In GDPR, you’ve got to implement a good security program and apply the appropriate technical compensating and procedural controls to do due diligence to protect the information privacy,” he said.
The best way to achieve this is by leveraging a technical control framework, like the Center for Internet Security’s (CIS) Critical Security Controls or the National Institute for Standards and Technology’s (NIST) 800-53 controls.
“It’s really important to make sure you have comprehensive coverage of all aspects of IT security, including vulnerability management, configuration management and patching, as well as all appropriate detection and preventative controls at the network layers,” White said.