GDPR: Easing the burden

By BSIMM Editorial Team posted 12-16-2020 10:45:15 AM


Complex, nuanced, multifaceted … those are a few of the many words that can be used to describe the General Data Protection Regulation (GDPR) and its implications. If you’re based in the EU or your business activities rub elbows with the EU in any way, you understand the broad demands of GDPR compliance. Of particular difficulty is the intricacy involved in international business activities—that is, data-sharing involving an EU organization or individual and an entity outside of the EU. If a company wants to have or preserve a meaningful presence in the EU, it must abide by the GDPR while also maintaining its own industry-specific regulations.

Although the Building Security In Maturity Model (BSIMM) report can’t provide authoritative guidance for tackling such a broad set of requirements, BSIMM data has pointed toward specific activities that indicate masterful handling of GDPR requirements. To understand what these activities are and how to employ them, let’s first look at the key aspect of GDPR that poses the greatest security and compliance challenges.

The challenge: Double trouble

A critical challenge of GDPR is its doubled regulatory requirements. An organization falling within GDPR jurisdiction is responsible for both its industry-specific regulations and the regulations of GDPR itself. Further compounding this difficulty is the introduction of any international dealings. In some ways, operating outside of the EU, or doing business with the EU from outside of it, poses the greatest regulatory challenge: An organization must take into consideration a complete set of different regulations that must be addressed in conjunction with existing regulations.

How then can an organization implement a robust software security initiative (SSI) policy and approach to compliance when there’s no one-size-fits-all solution for addressing compliance demands?

The solution: Identification and prioritization

The simplest answer to this question involves streamlining and synthesizing regulations. BSIMM members will recognize that this calls two noted BSIMM activities into play: CP 1.1 Unify Regulatory Pressures and CP 1.2 Identify PII Obligations.

CP1.1 Unify Regulatory Pressures

When a business or its customers are subject to GDPR regulatory and compliance demands, the software security group (SSG) should act as the driver in understanding and identifying constraints. Identifying all requirements should be paramount; collaboration efforts should hinge upon creating a unified approach to regulations. Redundancies, conflicts, or any overlaps that exist between the aforementioned industry-specific and general GDPR regulations should be resolved. Efforts should be focused on creating a tactical approach to regulations. The ultimate goal of this unifying effort is to promote clarity and efficiency. BSIMM11 reads, “A unified set of software security guidance for meeting regulatory pressures ensures that compliance work is completed as efficiently as possible.”

CP1.2. Identify PII Obligations

The SSG should also prioritize its critical role of identifying and describing personally identifiable information (PII) obligations. This identification should lead to the creation of internal best practices related to privacy. In light of ever-evolving consumer privacy expectations, and in tandem with the proliferation of “software in everything,” PII obligations command increasing attention. As with regulatory requirements, PII obligations should be identified, simplified, and condensed into tactical and meticulous policy and procedure. The identification of all obligations up front aids in creating a robust and smooth security and privacy policy free from ambiguity and error.

Prioritization is your friend

Given the broad scope of information and data involved in GDPR compliance efforts, prioritization should play a key role in your SSI activities. Identifying not only all compliance and regulatory requirements, but also those most critical to compliance, is key. PII, for example, should be high on the list. Prioritization aids in aligning SSG activities with the associated importance of compliance demands. Thoroughly identifying obligations and streamlining compliance requirements simplifies your SSG's GDPR compliance practices.

Consider creating a regulatory compliance board

The BSIMM measures whether companies are taking effective approaches to compliance. Several approaches are noted, but the most prevalent is the creation of a regulatory compliance board. This board is responsible for reviewing regulatory requirements and adapting them for internal use as policy, standards, and requirements. By creating a subcommittee that works with your SSG, compliance becomes more of a priority, and it can be addressed consistently.


GDPR’s complexity makes it difficult to produce a recipe for a concise compliance procedure. As with the BSIMM itself, where approaches to security differ by industry and organization, so too do compliance practices differ. The themes presented here, however, can be applied across industries and regulatory demands. Identifying your obligations, removing redundancies and conflicts, and promoting a streamlined compliance culture and policy are your best bet to minimizing GDPR burdens.

Given that every organization is different, we would love to hear how you tackled your own GDPR challenges. What practices were most successful? What is your biggest recommendation?