Technical Update – General Data Protection Regulation (GDPR): The Standard Is Missing

Posted by Chris Scott

Validation of what The Bunker believes!
There have been a huge number of column inches (both paper and digital) dedicated to the subject of GDPR and the changes this will enforce in the way organisations need to think and behave when they are the controllers of Personally Identifiable Information (PII).

By way of a personal perspective, during a conversation with Dr Richard Sykes the chairperson of the Cloud Industry Forum, we agreed the arrival of GDPR is a defining moment in the way businesses need to think about data protection.

For our business this was a fantastic opportunity because it provided validation of what The Bunker believes and stands for; essentially, the culture we have in our organisation is perfectly aligned with the demands of GDPR because it provides the Auditable Assurance that all organisations will need to demonstrate when controlling or processing PII.
But what about toms?
But (and it’s a rather large flashing neon sign BUT) how will organisations know if what they have put in place will be deemed as ‘appropriate’ Technical and Organisational Measures (TOMs) to comply with the terms of GDPR when scrutinised in a court of law?

Firstly, the wording of the regulations clearly indicates that at some time in the future someone (though we’re not quite sure who yet) will create a standard that helps organisations understand the requirement in the context of TOMs. It would be ideal if this defined what needs to done to demonstrate compliance with the standard and provided supporting accreditation.
Policy makers and lawyers
This however raises the question of who will actually create this standard. It can’t just be left to policy makers and lawyers. This needs insight into the ‘real world’ of information security practice. It also needs to drive a consistent set of behaviours and promote the culture change that is needed inside organisations to achieve proper security for the right reasons, not just the fear factor.

If we allow policy makers and lawyers to dictate the terms, then as information security professionals, we have missed a once in a lifetime opportunity to evangelise the positive benefits of taking the right approach to security.
ISO 27001 as a business management system
Secondly, our business is built in this way, that’s why I use the word opportunity. We already run our business in a fundamentally different way to most organisations for which I have worked or where I have been involved. We use the International Security Standard ISO 27001 not just as an Information Security Management System but as our Business Management System.

Everything that we do, all our processes and most importantly our culture is built around this approach. Add to that the technical standards that we hold for specific compliance regimes. Fully compliant with all 12 PCI-DSS points to host and manage customers systems for processing, storing or transmitting credit card information; IGSoC for the healthcare industry; and compliance to host government classified information. All of this means we are already supporting organisations in a way that others require. The Auditable Assurance that we provide to our over 200 plus customers is now a requirement of anyone who deals with PII.

On behalf of our clients, a significant proportion of whom are in the financial technology space, we are regularly audited by practically every large financial services organisation. We are used to working with auditors and ‘speak their language’. This is a huge benefit to our customers as they get ‘rubber stamped’ compliance and audit, providing solid reassurance to their end customers. It’s an essential step in ensuring they succeed as commercial entities.
Developing a GDPR standard
With or without a ‘GDPR Standard’ I am confident that by applying the knowledge, expertise, processes and culture we have created over the past 12 years, The Bunker genuinely helps customers old and new to comply with the terms of the regulations. And if anyone is listening we are more than prepared to roll up our sleeves and help get on with the creation of the standard and provide some ‘real world’ knowledge of how to do it correctly. Information security excellence with The Bunker

The Bunker is a leading centre of information security excellence. To find out more about why we’re more secure than any comparable UK managed PCI services business, speak with one of our PCI experts today on 01304 814800.

To find out more click here for the article ‘What does shake-up of EU data laws really mean?’ at

Click here to see the Bird and Bird LLP guide to the General Data Protection Regulation