Businesses preparing for the upcoming General Data Protection Regulation (GDPR) need to be aware of four myths, says NTT Security.
The four myths are:
ISO27001 is enough to cover GDPR
Implementation of controls aligned to this certification is a great start, but they are only part of the bigger picture.
The same exercise has already been done when planning for PCI DSS
Any controls implemented for PCI DSS will need to be extended to include Personal Identifiable Information (PII), which even then is only part of the GDPR requirements.
The organization’s GDPR programme can be handled by the legal or IT team
GDPR compliance is actually everyone’s responsibility. It should not be left to one team – legal, IT, HR and other business functions must all be involved with visible support from the executive level.
It is not the organization’s problem because they have outsourced all data processing to a third party
Processors are indeed liable for protecting PII under the GDPR but the responsibility is still on the data controller to ensure processors implement ‘technical and organizational measures’ to protect the information.
The stark truth is that businesses are still unsure on the actions needed to ensure full compliance ahead of the 25th May 2018 deadline. Some have proactively implemented programmes, yet found that gaps still exist, leaving them vulnerable to fines of up to €20 million or 4 percent or annual global turnover – whichever is higher.