Information Security Forum Releases GDPR Implementation Guide
September 2017 by Information Security Forum
The Information Security Forum (ISF) announced the release of the ISF GDPR Implementation Guide, the organizations latest digest which presents best practices for guiding a compliance program ahead of the European Union’s General Data Protection Regulation (GDPR). The GDPR Implementation Guide builds on the recently released ISF digest, Preparing for the General Data Protection Regulation, which summarizes the key requirements of the new legislation and lists the questions an organization needs to address to understand its GDPR readiness.
The GDPR is the biggest upheaval of global privacy law in more than two decades. With enforcement beginning on May 25, 2018, the GDPR represents the culmination of years of effort to modernize data protection. The GDPR applies to personal data relating to European Union (EU) residents regardless of where it is processed. It redefines the scope of EU data protection legislation, forcing organizations on a global scale to comply with its requirements. With potential compliance costs and fines of up to 4% of annual turnover, the GDPR may affect an organization’s corporate risk profile, and it is crucial for organizations to understand this impact as soon as possible.
“The need for organizations to prioritize data protection and information security has never been greater. A well-funded, well-governed and enterprise-wide GDPR compliance program will demonstrate an organization’s commitment to data protection and security,” said Steve Durbin, Managing Director, ISF. “To get the most out of the GDPR Implementation Guide, an organization should consider its current data protection practices and how to improve those practices in line with GDPR requirements. Utilizing the GDPR Implementation Guide, organizations can better prepare, implement, evaluate and enhance their data protection activities.”
The GDPR Implementation Guide presents the ISF Approach for GDPR Compliance (the ISF Approach) in two phases:
• Phase A: PREPARE by discovering personal data, determining compliance status and defining the scope of a GDPR compliance programme.
• Phase B: IMPLEMENT the GDPR requirements to demonstrate sufficient levels of compliance.
The ISF, in collaboration with ISF Members and other experts, has developed a structured method for achieving sufficient levels of compliance with the GDPR requirements. The ISF Approach focuses on key compliance actions that includes guidance required for an implementation plan, which can be embedded in a continuous improvement cycle. It is supplemented with practical actions, insightful tips and reusable templates to accelerate compliance.
“Data protection and legal compliance should not be perceived solely as a burden. The GDPR provides organizations with an opportunity to move programs beyond risk reviews and data analysis to deliver tangible operational change, thereby securing competitive advantage,” continued Durbin. “While every organization should judge the risks and rewards of its own data protection investments, the GDPR offers a unique opportunity to translate necessary compliance actions into tangible business benefit. Leading organizations are structuring GDPR compliance programs to exploit these opportunities and our GDPR Implementation Guide offers a method for doing just that.”
The GDPR Implementation Guide is intended primarily for data protection and privacy practitioners, IT, information risk and security professionals responsible for, or supporting, a GDPR compliance program. Organizations should consider the ISF resources related to this Guide including Preparing for the General Data Protection Regulation – Digest, The Standard of Good Practice for Information Security 2016 and Protecting the Crown Jewels: How to secure mission-critical information assets. Additional information is available now to ISF Member companies via the ISF website.