GDPR and NIST Cybersecurity Compliance
By now, most companies know about GDPR and its directives on handling personal data — from email addresses to personnel data. But the connection between NIST cyber security compliance and GRPR compliance is far less obvious.
The NIST Hack to GDPR Compliance
Let’s start at the beginning: GDPR stands for General Data Protection Regulation, which is a European regulation requiring “data protection and privacy for all individuals within the European Union and the European Economic Area.” Compliance with this regulation applies to any company that markets goods or services to European residents, regardless of where the company is located. The compliance deadline was May of 2018 (remember the flurry of opt-in emails), but like any regulation, it’s better to pursue and achieve compliance late than never.
WHY IS GDPR IMPORTANT?
The GDPR replaces its predecessor, the outdated Data Protection Directive, which allowed each of the 28 European Union members to customize the law to the needs of its citizens. The Directive was missing a key component, making it irrelevant in today’s digital age: it failed to address how data is stored, collected, and transferred digitally.
GDPR addresses data protection in the digital age. It requires that any personal data exported outside the EU is protected and regulated. For example, when Amazon sells goods to someone in the EU, it is required to comply with GDPR because of the European data involved, regardless of the fact that Amazon is based in the US.
WHAT IS NIST SP 800-171?
NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” applies to all Department of Defense (DoD) contractors, subcontractors, and suppliers that process, store or transmit Controlled Unclassified Information (CUI). This framework details how information systems, processes and procedures are required to be set up and maintained in order to protect CUI.
Other NIST documents including NIST 800-53A and NIST 800-37 will also help you in building the foundation for your privacy program.
HOW CAN NIST COMPLIANCE HELP ME WITH GDPR COMPLIANCE?
Any business that is part of the DoD supply chain is required to comply with NIST SP 800-171; some of them will also need to comply with GDPR. As it happens, many of the security controls required by NIST also meet GDPR standards. For example, some of the basic confidentiality requirements of NIST SP 800-171 overlap with those of GDPR.
Solutions like the NeQter Compliance Engine will put you in compliance with NIST SP 800-171 — and support many GDPR requirements. For example, one GDPR requirement is to notify authorities about a data breach. The NeQter Compliance Engine makes it easy to prevent and identify breaches by monitoring all activity on your network and scanning for vulnerabilities.
Using an existing solution to achieve NIST compliance may reduce some of the burden of meeting GDPR requirements. By addressing NIST requirements including confidentiality, a System Security Plan, network and inventory monitoring, log collection and retention, and Security Incident and Event Management, a business will be in a better place to address and meet GDPR related requirements.
Although NIST compliance does not meet full GDPR compliance, it is a great place to start.
At the end of the day, companies need to take action to protect their data. Speak with a NIST expert at NeQter Labs today to discuss your security needs, and potential solutions.