This is the final part in my GDPR Step-by-Step series, and one that, in my cynicism, I see very few organisations even trying to attempt. I have lost count of the number of companies with whom I have tried to implement a continuous compliance program, only to have them stop once they received their initial ‘certification’. In this respect, GDPR will be no different from something like PCI.
But for GDPR, if you don’t build the necessary knowledge / processes into everyone’s day jobs, your compliance program will falter. While data protection and privacy are everyone’s responsibility, they cannot, and will not be at the forefront of everyone’s mind as they work through an ordinary day.
There are some who are convinced that you can ‘operationalise’ the entirety of GDPR with ISO 27001. This is, of course, nonsense. However, the concept is perfectly valid in that ISO 27001’s goals are to:
- Systematically examine the organisation’s information security risks, taking account of the threats, vulnerabilities, and impacts;
- Design and implement a comprehensive suite of information security controls and/or other forms of risk treatment;
- Adopt an overarching management process to ensure that the information security controls continue to meet the organisation’s information security needs