Does ISO 27001 provide GDPR Compliance

Both the ISO 27001 framework and the General Data Protection Regulations (GDPR) requirements are concerned with data security and share many common themes.

ISO 27001 certification demonstrates that your business has systems in place to protect corporate information and data. However, implementing the ISO 27001 Management System does not necessarily mean that you have fulfilled your responsibilities as a business handling personal data in accordance with the GDPR – in this article, we will explain why.

So, what exactly is the General Data Protection Regulation?

The GDPR is a set of laws and guidelines covering the handling of personal information. This regulation was introduced in May 2018 by the European Union and effects companies that collect, hold, use or process the personal information of EU citizens.

Failure to comply with the GDPR could result in fines of up to 4% of annual global turnover.

GDPR principles

The regulation is split into six guiding principles which cover the general aims of the framework:

• Lawfulness, fairness and transparency
• Purpose limitation
• Data minimisation
• Accuracy
• Storage limitation
• Integrity and confidentiality.

The regulations consider why personal information is collected, how long it’s kept and the way in which it’s stored.

Data subject rights

A person – called a data subject in the regulation – has a number of rights when it comes to companies storing, accessing or using their personal information. These rights take into account special cases such as sensitive information and records held on children. The GDPR sets out these rights and describes your responsibilities as an organisation to uphold them.

Your obligations

It is an important part of the regulation that you can prove your adherence to it. You should also be able to deal with any issues – such as breaches of information security – appropriately and according to the steps specified in the regulation. Companies that regularly process large amounts of personal data, or handle special data categories such as criminal convictions, must assign a Data Protection Officer (DPO). The DPO will be responsible for proving and ensuring that your organisation complies with data protection law and practices.

Does ISO 27001 satisfy the GDPR requirements?

The following information is provided for guidance and is based on a fully integrated, well-managed ISO 27001 Management System that already incorporates controls and processes for handling personal information.

To determine how well your Management System covers GDPR, we would always recommend a gap analysis be performed.

Principles

• Lawful, fair and transparent processing – Partial coverage by ISO 27001
• Data should be used as specified – Partial coverage by ISO 27001
• Data should be limited to what is necessary for the specified use – Partial coverage by ISO 27001
• Data should be accurate – Partial coverage by ISO 27001
• Keep data that can identify individuals for no longer than necessary – Partial coverage by ISO 27001
• Data should be protected at all times – Full coverage by ISO 27001

For further information please refer to ISO 27001 Clause 6, ISO 27001 Annexes 6.1.5, 7.2.2, 8.1, 8.2, 8.3.2, 12.3, 14.1.1, 16 and 18.1.4

Data subject’s rights

• The right to be informed – Partial coverage by ISO 27001
• The right to object – Partial coverage by ISO 27001
• The right to erasure – Partial coverage by ISO 27001
• The right to restrict processing – Partial coverage by ISO 27001
• The right of access – No coverage by ISO 27001
• The right to data portability – Partial coverage by ISO 27001
• The right to rectification – Partial coverage by ISO 27001
• Rights regarding automated decisions and data profiling – No coverage by ISO 27001

For further information please refer to ISO 27001 Clause 6.1.2, ISO 27001 Annexes 8.3.2, 12.3, 14.1.1, 16 and 18.1.4

Data Protection Obligations

• Information security breach notification – Full coverage by ISO 27001
• Restrictions on gathering children’s data – Partial coverage by ISO 27001
• Specific and informed consent to gather data – Partial coverage by ISO 27001
• Assignment of a Data Protection Officer – Partial coverage by ISO 27001
• Protection of data accessible by suppliers – Full coverage by ISO 27001
• Performance of risk assessments – Full coverage by ISO 27001
• Performance of a Data Protection Impact Assessment – Partial coverage by ISO 27001

For further information please refer to Clauses 5.3, 6.1.1, 8 and 9.1, Annexes 8.2.3, 8.3.2, 12.1.1, 14.1.1, 15.1, 16, 18.1.3 and 18.1.4

Summary

While gaining ISO 27001 certification does not provide coverage across all areas of the GDPR, it remains a valuable tool when it comes to protecting corporate information assets because it provides evidence of how you manage information and meet legal obligations,  ensuring that information remains safe and secure at all times.

With ISO 27001 you can be confident that you have implemented best-practice security practices which will help you to improve resilience – protecting information assets from being lost, stolen or corrupted. The Standard will also help you to manage your ongoing commitments when it comes to remaining compliant with the GDPR because it is strongly focused on continual improvement, helping you to increase customer confidence through the practice of reviewing and improving your ongoing information security processes.

To find out more or to speak with a Certification Development Consultant, please call 0333 344 3646 or alternatively you can try our online fee calculator.