Last April 2016, the European Union (EU) Parliament adopted the General Data Protection Regulation (GDPR) to replace the now defunct Data Protection Directive 95/46/EC.
GDPR was put in place to bolster and consolidate data protection in the EU and is not only applicable to companies located within the EU, but also to those outside its territory that are engaged with EU data subjects. It will apply to you if part of your business is about processing or storing data on individuals in the backdrop of marketing commodities and services in the EU.
Unlike the previous directive, GDPR will be implemented by European governments without the necessity of an enabling legislation within their national borders. Although the GDPR is not effective until the 2-year transition period is completed on May 25, 2018, it makes sense to prepare for it now, and as an internationally recognized and implemented framework for data protection, the ISO 27001 might be the best way to take on the GDPR.
A quick recap of GDPR notable features
Before going into the points of convergence between your ISO 27001 certification and the EU GDPR, what are some of the notable features of the GDPR?
First, both the data controllers – those who decide on the aims and personal data are processed, and the data processors – those who manage this data, are subjected to the GDPR. They will have to put in place organizational schemes and procedures to ensure they achieve an adequate level of information security and conduct regular authentication of the efficacy of these actions.
Second, the collection and retention of customer data, as well as the number of parties with which this data is shared, is to be minimized under the GDPR. Data processing will also require getting consent from customers. Your organization should ideally only collect or retain data needed for a particular purpose, especially when this involves personal information.
Third, the previous Directive on giving personal data subjects the right to be forgotten by having their data, including data published on the web, deleted upon request. Your business will be obligated to remove such personal information without unwarranted delays.
Fourth, any personal data breaches should be reported by your company to the Data Protection Authority (DPA) within 72 hours once a violation is detected. The DPA is the agency tasked with monitoring the implementation of data protection regulation under the GDPR. Affected individuals will also be notified depending on the likelihood of unauthorized access to personal data.
Fifth, if your company is involved in special types of personal information on a massive scale, you will be obligated to appoint a Data Protection Officer as a member of your board.
Finally, any violation of the GDPR will be met with stiff penalties that can reach as high as € 20 million or even a 4 percent annual turnover for companies.
Points of convergence between ISO 27001 and GDPR
Now that we had a quick rundown of the main aspects of GDPR, what are some of the areas where your ISO 27001 certification can help facilitate compliance with the GDPR?
Regarding compliance, ISO 27001 mandates the listing of all relevant statutory, legislative, contractual, and regulatory requirements by control A.18.1.1. This makes it one of the ISO 27001 items that your company has to ensure to be compliant with the GDPR.
Preparing for your ISO audit?
Need a clean, simple tool to manage policies, requirements and controls? That's StandardFusion.
We give you enterprise-level functionality that's easy-to-use and drastically reduces the amount of effort you need to get and maintain your ISO compliance.
Find out how our customers are sleeping easy knowing their next ISO audit will be a breeze!
Risk assessment requirements of the ISO 27001 also converges with the GDPR which mandates the implementation of a Data Protection Impact Assessment. This new requisite direct your company to start by undertaking an evaluation of privacy risks. Ultimately, this is of high importance given the steep penalties and grave financial impact should a risk involving personal data happen.
Asset management requisites of the ISO 27001 under control A.8 also meet with that of the GDPR. These requirements include personal data as a valuable information security asset. Your company must define which personal data are involved in your operations, its origins, where to store it, for how long, and who will have access to these.
Supplier relationships under ISO 27001 also tally with the GDPR mandate for formal agreements when your business delegates personal data processing and storage to a second-party provider. The ISO 27001 control A.15.1 regarding information security in supplier relationships directs the securing of your assets that may be accessible to your suppliers.
Privacy by design is another GDPR requisite for product and systems development that matches the ISO 27001 control A.14 on systems acquisitions, development, and maintenance, which requires data security as an integral component of information systems throughout its lifecycle.
Lastly, breach notification strictures under the ISO 27001 control A.16.1 that entails an efficient and consistent method to dealing with data security incidents fits perfectly with the GDPR requirement for companies to notify authorities 72 hours after the discovery of a personal data breach. Applying ISO 27001 incident management methods will greatly benefit companies looking to comply with GDPR.
ISO 27001 offers the best starting point towards full GDPR compliance
As a bonus, the advantages provided by the ISO 27001 regarding structured documentation, technical controls, continuous improvement, and monitoring also comes with the promotion of a culture of greater security awareness among your organization’s members.
However, it is also true that not all GDPR requirements are addressed by the ISO 27001. There is a need to assess and analyze what further steps are necessary to fulfill GDPR requisites, which can be included in the ISO 27001’s information security management system.
But while it may not directly include some GDPR requirements, the ISO 27001 recognition of personal data as a security asset means it can cover most GDPR requirements. In other words, an ISO 27001 certification remains one of the best frameworks for complying with the GDPR.
True enough, if your company is already ISO 27001 certified, you are in an excellent position to achieve full observance of the GDPR, making the ISO 27001 the best starting point to taking on the GDPR.