CISO Thom Langford's Top Tips for GDPR ComplianceStart With ISO 27001 and a Solid Information Security Management System
Three years ago, communications giant Publicis Groupe launched its EU General Data Protection Regulation compliance project.
Thom Langford, the company's CISO, says the effort was greatly streamlined by the effort the organization had already put into building out its information security management system and complying with ISO 27001 - the Information Security Management Standard.
"We work in so many different industries, from healthcare to automotive to pure media or government, etc., that actually having that single standard that we adhere to, and then [we] just have to do a little bit of extra work or tweaking to meet whatever bizarre or obscure requirement is required for that particular industry helps immensely," Langford says. "We're not starting from the ground up every single time."
With GDPR, there's still other work that has to be done, including privacy impact assessments and audits. But thanks to adhering with ISO 27001, whenever dealing with a new regulation and the compliance that may be required, "we're already way, way along that journey," Langford says.
"It was more a case of honing and polishing, rather than building from the ground up," he adds.
In a video interview at the 2018 Infosecurity Europe conference in London, Langford discusses:
- Using ISO 27001 as a baseline for complying with all regulations that have IT, information security or privacy implications;
- Why complying with regulations - or maintaining ISO 27001 compliance - is an ongoing process;
- The nuances of GDPR.
As CISO of Publicis Groupe, Langford is responsible for all aspects of information security risk and compliance as well as managing the group information security program. He's also responsible for business continuity capabilities across global operations. An international public speaker and security blogger, Langford contributes to a number of industry blogs and publications. He is also the founder of Host Unknown, a loose collective of three infosec luminaries that makes security education and infotainment films.