“Whenever there is no clear guidance under the GDPR on how to obtain certain security objectives, it certainly seems wiser and more rational to use existing solutions provided by NIST publications than to wait until more EU guidelines would be available. Later you could further build on what you already have, rather than start from scratch,” writes Piotr Foitzik, Senior Manager, Privacy and Data Protection Office, HCL Technologies.
Piotr advocates using NIST standards to comply with your GDPR Art 32 ‘adequate technological and organizational measures’ obligation and in building out your privacy and information security program. This is equally applicable to the CCPA requirements for adopting ‘reasonable measures’ protect personal information you collect.
Read the full text of Piotr’s article in the IAPP’s Privacy Advisor.