Both the ISO 27001 framework and the General Data Protection Regulation (GDPR) requirements are concerned with data security, and share many common themes.
ISO 27001 certification demonstrates that your business has systems in place to protect corporate information and data. However, implementing the ISO 27001 Management System does not necessarily mean that you have fulfilled your responsibilities as a business handling personal data in accordance with the GDPR – in this article we will explain why.
So, what exactly is the General Data Protection Regulation?
The GDPR is a set of laws and guidelines covering the handling of personal information. This regulation was introduced in May 2018 by the European Union and effects companies that collect, hold, use or process the personal information of EU citizens.
Failure to comply with the GDPR could result in fines of up to 4% of annual global turnover.
The regulation is split into six guiding principles which cover the general aims of the framework:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality.
The regulations consider why personal information is collected, how long it’s kept and the way in which it’s stored.
Data subject rights
A person – called a data subject in the regulation – has a number of rights when it comes to companies storing, accessing or using their personal information. These rights take into account special cases such as sensitive information and records held on children. The GDPR sets out these rights and describes your responsibilities as an organisation to uphold them.
It is an important part of the regulation that you can prove your adherence to it. You should also be able to deal with any issues – such as breaches of information security – appropriately and according to the steps specified in the regulation. Companies that regularly process large amounts of personal data, or handle special data categories such as criminal convictions, must assign a Data Protection Officer (DPO). The DPO will be responsible for proving and ensuring that your organisation complies with data protection law and practices.
Does ISO 27001 satisfy the GDPR requirements?
The following information is provided for guidance and is based on a fully integrated, well-managed ISO 27001 Management System that already incorporates controls and processes for handling personal information.
To determine how well your Management System covers GDPR, we would always recommend a gap analysis be performed.
|Principle||ISO 27001 coverage|
|Lawful, fair and transparent processing||Partial|
|Data should be used as specified||Partial|
|Data should be limited to what is necessary for the specified use||Partial|
|Data should be accurate||Partial|
|Keep data that can identify individuals for no longer than necessary||Partial|
|Data should be protected at all times||Full|
For further information please refer to Clause 6, Annexes 6.1.5, 7.2.2, 8.1, 8.2, 8.3.2, 12.3, 14.1.1, 16 and 18.1.4
|Data subject’s rights||ISO 27001 coverage|
|The right to be informed||Partial|
|The right to object||Partial|
|The right to erasure||Partial|
|The right to restrict processing||Partial|
|The right of access||None|
|The right to data portability||Partial|
|The right to rectification||Partial|
|Rights regarding automated decisions and data profiling||None|
For further information please refer to Clause 6.1.2, Annexes 8.3.2, 12.3, 14.1.1, 16 and 18.1.4
|Obligation||ISO 27001 coverage|
|Information security breach notification||Full|
|Restrictions on gathering children’s data||Partial|
|Specific and informed consent to gather data||Partial|
|Assignment of a Data Protection Officer||Partial|
|Protection of data accessible by suppliers||Full|
|Performance of risk assessments||Full|
|Performance of a Data Protection Impact Assessment||Partial|
For further information please refer to Clauses 5.3, 6.1.1, 8 and 9.1, Annexes 8.2.3, 8.3.2, 12.1.1, 14.1.1, 15.1, 16, 18.1.3 and 18.1.4
While ISO 27001 does not provide coverage across all areas of the GDPR, it remains a valuable tool when it comes to protecting corporate information assets because it provides evidence of how you manage information and meet legal obligations, ensuring that information remains safe and secure at all times.
With ISO 27001 you can be confident that you have implemented best-practice security practices which will help you to improve resilience – protecting information assets from being lost, stolen or corrupted. The Standard will also help you to manage your ongoing commitments when it comes to remaining compliant with the GDPR because it is strongly focused on continual improvement, helping you to increase customer confidence through the practice of reviewing and improving your ongoing information security processes.
If you’re concerned about your data handling processes and would like to align your systems with the requirements of the GDPR, you should consider the GDPR Readiness Assessment offered by QMS. During the Readiness Assessment you will benefit from training, a Data Protection Impact Assessment (DPIA), a Gap Analysis, guidance on Data Mapping and access to a library of document templates.
To find out more or to speak with a QMS Advisor, please call 0333 344 3646 or alternatively you can try our online fee calculator.