The Information Security Forum (ISF) has issued its GDPR Implementation Guide, with best practices for guiding a compliance program ahead of the European Union’s General Data Protection Regulation (GDPR).
The GDPR Implementation Guide builds on the recently released ISF digest, Preparing for the General Data Protection Regulation, which summarizes the key requirements of the new legislation and lists the questions an organization needs to address to understand its GDPR readiness.
With enforcement beginning on May 25, 2018, the GDPR represents the culmination of years of effort to modernize data protection. The GDPR applies to personal data relating to European Union (EU) residents regardless of where it is processed. It redefines the scope of EU data protection legislation, forcing organizations on a global scale to comply with its requirements. With potential compliance costs and fines of up to 4% of annual turnover, the GDPR may affect an organization’s corporate risk profile, and it is crucial for organizations to understand this impact as soon as possible.
“The need for organizations to prioritize data protection and information security has never been greater. A well-funded, well-governed and enterprise-wide GDPR compliance program will demonstrate an organization’s commitment to data protection and security,” said Steve Durbin, managing director, ISF. “To get the most out of the GDPR Implementation Guide, an organization should consider its current data protection practices and how to improve those practices in line with GDPR requirements. Utilizing the GDPR Implementation Guide, organizations can better prepare, implement, evaluate and enhance their data protection activities.”
The GDPR Implementation Guide presents the ISF Approach for GDPR Compliance in two phases: First, prepare by discovering personal data, determining compliance status and defining the scope of a GDPR compliance program; and then implement the GDPR requirements to demonstrate sufficient levels of compliance.
“Data protection and legal compliance should not be perceived solely as a burden. The GDPR provides organizations with an opportunity to move programs beyond risk reviews and data analysis to deliver tangible operational change, thereby securing competitive advantage,” continued Durbin. “While every organization should judge the risks and rewards of its own data protection investments, the GDPR offers a unique opportunity to translate necessary compliance actions into tangible business benefit. Leading organizations are structuring GDPR compliance programs to exploit these opportunities and our GDPR Implementation Guide offers a method for doing just that.”