The Global Data Protection Regulation (GDPR) will come into force in less than a year and organisations need to prepare for its introduction and be able to demonstrate compliance. This will require resources and an appropriate budget.
Organisations which have a good underpinning security system, supported by industry standards such as ISO27001, ISO20000 and ISO22301, already have a good basis for GDPR compliance and their spend will be less. They may need to improve their data mapping and classification and the associated governance around the processing of data, along with small tweaks to their security incident processes to include new requirements for privacy breach notifications, but their existing risk assessment and treatment processes and underlying IT platform should accommodate the new requirements. Compliance with a standard demonstrates both organisation operational processes and company board commitment in these areas to the relevant security authority. It also supports the audit requirements between data controllers and data processors.
However, organisations without any alignment to an industry standard have to build these processes and procedures from scratch. On its own this does not create any business advantage (or differentiation), but simply enables them to avoid the heavy fines and damage to their reputation if they are found to be non-compliant when GDPR comes into force. So it makes sense for them to implement GDPR in a way that bridges towards these standards. As well as enabling them to become compliant, this will give them new business differentiators and potentially open up new markets where these standards are mandatory.
GDPR does not meet the full requirements of industry standards such as ISO27001 (and the standard does not cover all the needs of GDPR). However, with little extra cost GDPR can be implemented in a way that aligns with industry standards and provides a good base for achieving certification in the future if required by the business for its market development and growth.