GDPR 8 – Security

Today’s guest post is from Tony Bridger, an experienced provider of Procurement Consulting and Spend Analysis services across the Commonwealth (as well as a Lean Six Sigma Black Belt) who has been delivering value across continents for two decades. He is currently President of UK-based TrainingWorx Ltd, a provider of a wide range of Procurement and Analytic business training programs (inc. GDPR, spend analysis, project management, process improvement, etc.) and focussed short-term consulting solutions. Tony can be contacted at

One of the key changes in the GDPR is around the clauses and legal framework that surrounds the processing of personal data.

We will cover this in some detail in the next post (although we did hint at this one!). However, please bear with us as we also have to address cyber security to complete the background for displaying the processing requirements. Security will be a key component of the overall legal framework.

One of the key requirements in processing data is the cyber security that surrounds managing this type of information. The UK Supervisory Authority, the ICO (Information Commissioners Office) issues a wide ranging, practical advice for companies on their website. Given that many procurement analytics providers are now mature IT companies, many will have little to do cyber security wise. Many companies (including high volume email suppliers) have certified to the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework. This is an excellent start as we have mentioned previously. The cost of doing this is comparatively small – and we understand that many small US companies have managed to achieve this – around 3000 software enterprises.

On a broader security level, the ICO recommends that companies implement at least the ten steps to Cyber Security model. This can be found on their website. For much smaller UK based data companies, they can achieve Cyber Security Essentials plus certification. This is around $400 USD.

However, it is highly likely that many web analytics provider security arrangements are already in place and exceed the basics. Logically, it may be worth pursuing ISO 27001 accreditation or higher. Like most certification, it can become an expensive and a time-consuming exercise. Many large suppliers may already have CCMv3 (Cloud Controls Matrix), NIST CSF (National Institute of Standards and Technology Cyber Security Framework) or PAS 555.

Is it really worth it? If we had a crystal ball, companies both within and outside of the European arena will come under increasing pressure to prove these controls are in place – and standards are likely to become a key selling point for winning European business. To that end – it is going to be part of the cost of doing business. The alternative is a breach and investigation. Cyber criminals have all the key attack elements in their favour – a confirmed breach could become a costly and damaging PR disaster.

Once vendors combine cyber controls and certification with the extensive legal requirements, it is likely to become a major differentiation point between suppliers. Question is … are vendors ready?