3 contributions of rating to the compliance with GDPR
It is a fact that compliance with the new General Data Protection Regulation (GDPR) is a topic subject in many areas of society, affecting both the compliance of companies and the rights of citizens; and it’s accompanied by a sanctioning regime that has raised all the alerts.
Our perspective is somewhat different from what we are used to find. Its approach is to contribute to the efficient compliance of the regulation (in those areas that concern us). Until now, we got used -by our Spanish LOPD- to being informed of the security measures to be applied according to the type of information handled. This new regulation brings us the principle of accountability, which is one of the main novelties of this regulation. This principle implies for the controllers the obligation to apply “appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this regulation." (Article 24 GDPR).
But the regulation does not clearly specify the measures to be adopted, but leaving the controller for its selection, and the determination of the procedure to demonstrate them. And it is better that these "appropriate measures" are well chosen, since otherwise, the aforementioned sanctioning regime can be quite burdensome.
Therefore, it is advisable that organizations apply a methodology that helps them in this aspect of the adaptation process, allowing them to act with due diligence. And in this aspect, is where our first contribution appears: through our methodology and rating system, we provide a valuable help to the controllers in the application of security by design and by default, offering them a flexible control framework, based on best practices and international standards, and classified into several protection levels, which allow selecting the appropriate measures according to the data type.
On the other hand, our cybersecurity rating and seal, allow demonstrating the effective implementation of the corresponding measures, since it makes evident that they have been audited and verified by an independent professional entity.
Finally, the LEET Security seal is an effective and efficient mechanism for the supervision of the processors. From their point of view, the rating seal allows to demonstrate the use of the security measures that guarantee the data protection with the same level required by the controller, while adding confidence in the service.
With this post we start a brief series of publications in which we will develop these three aspects on which the rating helps to comply with the regulation more efficiently.
You can follow us on twitter.com/leet_security