GDPR & ISO 27001 Compliance
The General Data Protection Regulation (GDPR) and ISO 27001 fit like hand and glove. As the only auditable international standard that defines the requirements of an Information Security Management System (ISMS), the GDPR encourages the use of this standard.
How ISO 27001 works
ISO 27001 describes best practice for an ISMS, a systematic approach consisting of people, processes and technology that helps you protect and manage all your organisation’s information through risk management.
An ISMS is a systematic approach consisting of processes, technology and people that helps you protect and manage all your organisation’s information through effective risk management.
An ISMS aligned to ISO 27001 brings about many organisational benefits, such as:
- The ability to provide convincing evidence that the necessary measures have been taken to comply with the data security requirements of the GDPR;
- The protection of all corporate information and intellectual property – not just personal data;
- The ability to reduce, monitor and review risks as well as keep up with constantly evolving data security threat; and
- A culture of awareness surrounding information security.
What is GDPR ?
The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU. The regulation was put into effect on May 25, 2018. The GDPR will levy harsh fines against those who violate its privacy and security standards, with penalties reaching into the tens of millions of euros.
With the GDPR, Europe is signaling its firm stance on data privacy and security at a time when more people are entrusting their personal data with cloud services and breaches are a daily occurrence. The regulation itself is large, far-reaching, and fairly light on specifics, making GDPR compliance a daunting prospect, particularly for small and medium-sized enterprises (SMEs).
Is ISO 27001:2013 Enough?
While there are some areas covered under the GDPR that are not controlled under the ISO 27001 standard — such as the right of a data subject to have his or her data moved or deleted — the standard covers most of the requirements of the new law by virtue of the fact that private data is recognized as an information security asset under ISO 27001. As such, the standard and the new regulations share like–minded views on data security.
ISO 27001 has a broader scope than GDPR in that it applies to a company’s critical data as well as to personal data. The ISO standard can be used to protect personal data as well as other information. GDPR also covers several areas that ISO 27001 doesn’t, such as the right to be forgotten, data portability and the right to be informed about your personal data.
ISO 27001 doesn’t explicitly address these rights, but an ISMS can support you in meeting these requirements. Because ISO 27001 doesn’t specifically include these rights, being certified to it doesn’t necessarily ensure that you’re also GDPR-compliant. It will certainly support you in your GDPR compliance goals and bring you closer to reaching them.
Because the two standards have some differences in what they cover, all ISO 27001-certified companies impacted by GDPR should conduct a gap analysis. This assessment, which Afinterio Experts can perform, will provide you with information about where you are now and what you need to change to comply with GDPR. It identifies the gaps between your current systems and the ones you want to follow.