GDPR vs. Existing Frameworks: Overlaps, Differences, and Filling the Gaps

February 14, 2018 Chris Lippert

Here’s the big question: Is the General Data Protection Regulation (GDPR) a revolutionary regulation that introduces new concepts of security and privacy? The answer — yes and no. The GDPR does introduce new requirements that are specific to the European Union, but it does so while encapsulating them in a somewhat familiar structure. Although some of the requirements get into specifics with data subjects or specific processes, a number of them have an underlying security and privacy framework that can easily be distinguished.

In this post, we are going to explore key overlaps and differences of GDPR compared to other frameworks, including ISO/IEC 27000, NIST, and PCI, and then look at ways organizations can begin to bridge the gaps to achieve alignment with GDPR.

How the GDPR overlaps, and does not overlap, with existing frameworks

The GDPR incorporates requirements into the regulation that should be familiar to most organizations, such as impact assessments, risk assessments, appropriate technical and organizational controls, etc. Most of these are the common building blocks for any security program, and these concepts can be identified in ISO/IEC 27000, NIST, and PCI frameworks, as well as numerous others. The idea of performing risk or impact assessments on a periodic basis and keeping those up to date is nothing new, and the idea of implementing mitigating controls, based on the risks identified in those impact/risk assessments and deemed appropriate by the organization, has been around for years. Within GDPR, these older concepts have been repackaged. As such, organizations with these practices already in place will see some overlap in their current method and the GDPR, as well as similarities in the frameworks and standards utilized by the organization to implement those practices.

Exactly how much overlap is there?

Although some of the impact assessments, risk assessments, and technical and organizational controls may be leveraged by the organization in order to meet GDPR, there will still be a new, large gap to close in order to become compliant. Most organizations hope or expect that the procedures or controls they have in place to meet the ISO/IEC 27001, NIST 800-53, etc. frameworks will also comply with most of the considerations under the GDPR. Unfortunately, this may not be the case for the majority of organizations. Why? Because these frameworks do not incorporate a key concept found in the GDPR — one that originated in Ontario, Canada, but has since been making its way around the globe — the concept of Privacy by Design.

Read More:  threatstack.com

About the Author

Chris Lippert

Chris Lippert is a Senior Associate at Schellman and is based in Atlanta, GA. With more than 5 years of experience in information assurance, Chris has a concentration in SOC and privacy engagements. He is a member of the International Association of Privacy Professionals (IAPP) and advocates for privacy by design and the adequate protection of personal data in today’s business world.

More Content by Chris Lippert
Previous Article
Do Robots Deserve Legal Rights?
Do Robots Deserve Legal Rights?

Saudi Arabia made waves in late 2017 when it granted citizenship to a humanoid robot named Sophi...

Next Article
The New Database Technology Landscape From Relational to Blockchain
The New Database Technology Landscape From Relational to Blockchain

Cloud Advances Cloud computing, which has been a major force in the IT and data management spac...

×



Subscribe now
to receive content updates once a week

First Name
!
Success
Error - something went wrong!