LEET Security | The ultimate Cybersecurity rating.

GDPR (4): The duty to demonstrate compliance

How do you prove it?

The mandatory implementation of the new Data Protection Regulation is very close to becoming effective, and with this post we complete the small series that we have dedicated to how LEET Security contributes to achieving an efficient compliance of the same to the organizations responsible processing for personal data, who need to establish and demonstrate that they do so with the adequate security measures.

One of the many novelties of the GDPR, as we mentioned in a previous post, is the "accountability principle". According to this principle, the controller finds himself obliged to apply due diligence in the business processes in which personal data are involved; and in particular, in the implementation of an adequate security level by design according to risk. But, in addition, this principle requires the controller and the processor to prove that the appropriate security measures are being applied.

If we carefully observe the norm, the duty to prove appears several times throughout the recitals and articles in different contexts. We point out some examples below:

•    The controller shall be responsible for, and be able to demonstrate compliance with the Regulation (Art. 5.2 y 24.1)
•    The controller is in charge of demonstrating that a data breach doesn’t entail a risk to the rights and freedoms of natural persons. (Recital 85)
•    The processor will make available to the controller every necessary information to demonstrate compliance with the established obligations, including security measures (Art 28.3)
•    The controller adherence to a code of conduct, a certification mechanism, seals, or data protection marks, may serve as an element to demonstrate compliance with the RGPD (Art 24.3 28.5, 32.3, 42.1, 42.2)

The way to prove something in any field, is often and traditionally through performing audits, whether financial, legal, environmental, energy, etc. At LEET Security we improve this audit approach by proving security to third parties through an independent rating and our accreditation seal.

LEET Security's cybersecurity rating is more than a security audit, because, although it is based on the evaluation of a superset of security controls from the most recognized standards in the sector (ISO / IEC 27000 series, NIST 800-53, PCI-DSS, ENS, TIA-942, etc.), shows, in addition, the security level implemented in the audited service. In this way, it allows proving the effective application of the security measures corresponding to the ascribed level.

Whereas other standards such as ISO 27001, assess and certify the implementation of an information security management system, the rating addresses and evaluates the technical and organizational measures applied to services or business processes, resulting in an excellent tool for controller and processors, in order to demonstrate that it is in accordance with the Regulation.

The guarantee of applying a specific cybersecurity level provides greater value to suppliers and generates confidence in the services provided; and as a result, a greater degree of comfort in its clients and third parties, being a proof of the application of due diligence, both in provision of services and when contracting these.

Demand it as user! Accredit it as a service provider!

All you need is LEET

Suscribe to our newsletter by clicking here