Are you worried about the European Union’s General Data Protection Regulation? Are you subject to it? Are you uncertain whether you are subject to it? Have you undergone other compliance initiatives like SOC 2 and ISO 27000 certification and wondering whether those apply?
Here’s a primer.
How to know whether you are subject to GDPR
Source: Varankevich, Siarhei; “Territorial scope of the GDPR”, LinkedIn, 17 February 2017
GDPR takes effect on May 25, 2018. It is largely a data privacy exercise for citizens and residents of EU member countries. The primary goal of the legislation is to ensure the privacy and to establish a lifecycle on end-user data. The legislation gives individuals the “right to erasure”; that upon request their data can be deleted by data processors and controllers.
If you know about Service Organization Control (SOC) audits, and ISO 27000-series certification, you are probably noticing we are beginning to head down a different path with GDPR.
The SOC 2 product is designed to be a customizable assessment of a service organization – very often cloud service companies – that is controls and governance-oriented. The SOC 2 has five Trust Service Principles (TSPs), four of which can be optionally scoped-in. The principles are Security (mandatory), Processing Integrity, Availability, Confidentiality, and Privacy. The Privacy TSP gets the closest to the goals of GDPR and examines concepts like Choice and Consent, Collection, Access Controls, Disclosure and Notification, and Data Quality.
ISO 27000-series is an information security management system standard. Organizations which implement the ISO controls can choose to undergo certification by a certifying body. The 27001 standard does not include privacy-specific controls, but rather more broadly looks at data classification systems.
If you are a Massachusetts business or retain the data of residents of Massachusetts, you should be aware of 201 CMR 17.00, the Standards for the Protection of Information of Residents of the Commonwealth, or more colloquially known as the Mass Data Privacy Law. This law, effective in 2010, establishes a requirement for protection of personally identifiable information of Massachusetts residents, including appropriate policies, procedures, and technical controls.
Going back to GDPR – if you are wondering how far undergoing SOC 2 audits, being ISO 27001 certified, and being compliant with 201 CMR 17.00 gets you, we have prepared this mapping document.
If you are struggling with your compliance needs, please contact us. We have a deep bench of experienced and credentialed professionals that can help you with your SOC 2, ISO 27000-series, MA 201 CMR 17.00, and GDPR needs.
