Carla Bouca Lately, I’ve been asked questions like: “If ISO 27001 is implemented in my organization, will it fully comply with European General Data Protection Regulation (EU GDPR) requirements?” and “Our company is ISO 27001 certified. Are we already compliant with EU GDPR?”
The new regulation introduces a set of rules that require organizations to implement controls to protect personal data. Implementation of ISO 27001 will help organizations respond to this requirement.
Does my organization need to be EU GDPR compliant?
As I wrote in my last article: What is the EU GDPR and why is it applicable to the whole world?, there are two types of responsibilities regarding the protection of personal data – data “controllers” and data “processors.”
Specifically, any business that determines the purposes and means of processing personal data is considered a “controller.” Any business that processes personal data on behalf of the controller is considered a “processor.”
So, the organizations that need to be EU GDPR compliant are companies (controllers and processors) whether established in the EU or not, offering goods or services within the EU or to EU individuals.
How are EU GDPR and ISO 27001 related?
ISO 27001 is a framework for information protection. According to GDPR, personal data is critical information that all organizations need to protect. Of course, there are some EU GDPR requirements that are not directly covered in ISO 27001, such as supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. But, if the implementation of ISO 27001 identifies personal data as an information security asset, most of the EU GDPR requirements will be covered.
ISO 27001 provides the means to ensure this protection. There are many points where the ISO 27001 standard can help companies achieve compliance with this regulation. Here are just a few of the most relevant ones:
- Risk Assessment – Because of the high fines defined in EU GDPR and the major financial impact on organizations, it is only natural that the risk found during risk assessment regarding personal data is too high not to be dealt with. On the other side, one of the new requirements of the EU GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while implementing ISO 27001, personal data must be classified as high criticality, but according to the control A.8.2.1 (Classification of information): “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.” (Read the article ISO 27001 risk assessment & treatment – 6 basic steps to learn more.)
- Compliance – By implementing ISO 27001, because of control A.18.1.1 (Identification of applicable legislation and contractual requirements), it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with EU GDPR (see section above), this regulation will have to be part of this list. In any case, even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy and protection of personally identifiable information) of ISO 27001 guides organizations through the implementation of a data policy and protection of personally identifiable Information.
- Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management of information security incidents and improvements) will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” According to EU GDPR, data subjects (“The Data Subject is a living individual to whom personal data relates.”) will also have to be notified, but only if the data poses a “high risk to data subject’s rights and freedom.” The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
- Asset Management – ISO 27001 control A.8 (Asset Management) leads to inclusion of personal data as information security assets and allows organizations to understand what personal data is involved and where to store it, how long, what is its origin, and who has access, which are all requirements of EU GDPR.
- Privacy by Design – The adoption of Privacy by Design, another EU GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 control A.14 (System acquisitions, development and maintenance) ensures that “information security is an integral part of information systems across the entire lifecycle.”
- Supplier Relationships – ISO 27001 control A.15.1 (Information security in supplier relationships) requires the “protection of the organization’s assets that are accessible by suppliers.” According to GDPR, the organization delegates suppliers’ processing and storage of personal data; it shall require compliance with the requirements of the regulation through formal agreements.
Is ISO 27001 enough?
In addition to the adopted technical controls, structured documentation, monitoring, and continuous improvement, the implementation of ISO 27001 promotes a culture and awareness of security incidents in organizations. The employees of these organizations are more aware and have more knowledge to be able to detect and report security incidents. Information security is not only about technology; it’s also about people and processes.
The ISO 27001 standard is an excellent framework for compliance with the EU GDPR. If the organization has already implemented the standard, it is at least halfway toward ensuring the protection of personal data and minimizing the risk of a leak, from which the financial impact and visibility could be catastrophic for the organization. The first thing an organization should do is conduct an EU GDPR GAP Analysis to determine what remains to be done to meet the EU GDPR requirements, and then these requirements can be easily added through the Information Security Management System that is already set by ISO 27001.
From the ISO 27000 family, ISO/IEC 27018 should also be consulted (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) if the organization stores/processes personal data in the cloud. See the article ISO 27001 vs. ISO 27018 – Standard for protecting privacy in the cloud to learn more.
To summarize, almost any company that is operating internationally will have to comply with this regulation. As ISO 27001 is internationally recognized and implemented all over the world, it may be the best option to facilitate immediate compliance with EU GDPR.
To learn more about this topic, download this free white paper: What is EU GDPR and how can ISO 27001 help?
To find out the role of the DPO, see this article.
