Is there a GDPR Certification?

The push for GDPR compliance has generated a lot of good questions. Is there a certification that organization’s can get to demonstrate their compliance with GDPR? If not, how is my business supposed to show that we are compliant when people ask us? The bottom line is that there is no GDPR certification. At least not a single, sanctioned offering that you must have. Many companies out there offer services to help you align your security program with the requirements set forth in the General Data Protection Regulation (GDPR), but any company who states that they will “certify” you should be a cause for concern.

Why isn’t there a GDPR certification?

The EU took a broad approach with regards to the GDPR, mainly because they want the new regulation to stand the test of time. Keep in mind that the GDPR was meant to replace a similar data protection directive from 1995. This means that they are expecting this new regulation to last for more than 20 years.

As such, the GDPR is much different than some of the other typical industry regulations. For example, the Payment Card Industry (PCI) has a specific set of requirements that requires trained and certified Qualified Security Assessors (QSA) to evaluate a company’s security program as it relates to the security of payment card data. So while PCI says you must have passwords that are at least 7 characters in length, and a third party can come in and validate that you meet that requirement, the GDPR doesn’t go anywhere near those type of specific controls. In contrast, the GDPR never mentions passwords or password requirements, instead simply saying that companies must meet a “reasonable level of security.”

Because of this, it is better if you think of GDPR as a giant privacy due diligence clause. The GDPR is the EU’s way of saying that you’d better be careful about how you are collecting and protecting their citizen’s privacy information. And on top of that, if we find out you aren’t doing it well, we can take action. Combined with the fact that they have not offered an official GDPR certification, the intent is that you are able to show you’re considering security best practices in your organization. If necessary, it’s a good idea to have evidence and documentation of your security efforts in this realm, as well. Just in case a client or the European Parliament ever has a reason to ask you what you’re doing to protect this information and you need to prove that you’ve done your due diligence when compared with others in the industry.

How does Triaxiom Security handle GDPR?

As stated, there are no specific requirements or controls associated with GDPR, nor is there an official GDPR certification. Rather, you need to demonstrate you are providing a reasonable level of security. To do this, it only makes sense to use an internationally recognized standard of security controls. Therefore, Triaxiom uses the Center for Internet Security’s (CIS) Top 20 Critical Security Controls. These are the top 20 security controls that the CIS recommends to protect the confidentiality, integrity, and availability of data. By using these controls, should you find yourself having to justify your security program, you can point back to an industry recognized standard that you were assessed against by an independent third-party.

In addition to a gap analysis against an industry accepted standard, Triaxiom recommends that companies perform annual penetration tests. A penetration test is the best way to evaluate the realistic risk to your network and the privacy data contained within because it is designed to emulate real world attacks. It is no wonder that regular penetration tests are required by every major compliance regulation and are one of the top 20 critical security controls emphasized by the CIS.

Be Wary Of…

As a final word of caution, be wary of companies that say they will give you some kind of GDPR certification. Since there is no sanctioned certification or certifying body, this wont’ be worth any more than the paper it is printed on. Additionally, it might be an indication that the sales person or company you’re talking to doesn’t fully understand the GDPR, and perhaps isn’t the best fit to help with your compliance efforts. Also, be aware of firms that will audit and assess your environment without using a widely recognized standard. Hopefully it will not happen, but should you ever have to justify your organization’s security posture to the European Parliament following a data breach, it would be preferable to lean on best practice standards that are internationally understood and accepted.