Does ISO 27001 provide GDPR Compliance?

Both the ISO 27001 framework and the General Data Protection Regulation (GDPR) requirements are concerned with data security, and share many common themes.

ISO 27001 certification demonstrates that your business has systems in place to protect corporate information and data. However, implementing the ISO 27001 Management System does not necessarily mean that you have fulfilled your responsibilities as a business handling personal data in accordance with the GDPR – in this article we will explain why.

So, what exactly is the General Data Protection Regulation?

The GDPR is a set of laws and guidelines covering the handling of personal information. This regulation was introduced in May 2018 by the European Union and effects companies that collect, hold, use or process the personal information of EU citizens.

Failure to comply with the GDPR could result in fines of up to 4% of annual global turnover.

GDPR principles

The regulation is split into six guiding principles which cover the general aims of the framework:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality.

The regulations consider why personal information is collected, how long it’s kept and the way in which it’s stored.

Data subject rights

A person – called a data subject in the regulation – has a number of rights when it comes to companies storing, accessing or using their personal information. These rights take into account special cases such as sensitive information and records held on children. The GDPR sets out these rights and describes your responsibilities as an organisation to uphold them.

Your obligations

It is an important part of the regulation that you can prove your adherence to it. You should also be able to deal with any issues – such as breaches of information security – appropriately and according to the steps specified in the regulation. Companies that regularly process large amounts of personal data, or handle special data categories such as criminal convictions, must assign a Data Protection Officer (DPO). The DPO will be responsible for proving and ensuring that your organisation complies with data protection law and practices.

Does ISO 27001 satisfy the GDPR requirements?

The following information is provided for guidance and is based on a fully integrated, well-managed ISO 27001 Management System that already incorporates controls and processes for handling personal information.

To determine how well your Management System covers GDPR, we would always recommend a gap analysis be performed.

Principle ISO 27001 coverage
Lawful, fair and transparent processing Partial
Data should be used as specified Partial
Data should be limited to what is necessary for the specified use Partial
Data should be accurate Partial
Keep data that can identify individuals for no longer than necessary Partial
Data should be protected at all times Full

For further information please refer to Clause 6, Annexes 6.1.5, 7.2.2, 8.1, 8.2, 8.3.2, 12.3, 14.1.1, 16 and 18.1.4

 

Data subject’s rights ISO 27001 coverage
The right to be informed Partial
The right to object Partial
The right to erasure Partial
The right to restrict processing Partial
The right of access None
The right to data portability Partial
The right to rectification Partial
Rights regarding automated decisions and data profiling None

For further information please refer to Clause 6.1.2, Annexes 8.3.2, 12.3, 14.1.1, 16 and 18.1.4

 

Obligation ISO 27001 coverage
Information security breach notification Full
Restrictions on gathering children’s data Partial
Specific and informed consent to gather data Partial
Assignment of a Data Protection Officer Partial
Protection of data accessible by suppliers Full
Performance of risk assessments Full
Performance of a Data Protection Impact Assessment Partial

For further information please refer to Clauses 5.3, 6.1.1, 8 and 9.1, Annexes 8.2.3, 8.3.2, 12.1.1, 14.1.1, 15.1, 16, 18.1.3 and 18.1.4

While ISO 27001 does not provide coverage across all areas of the GDPR, it remains a valuable tool when it comes to protecting corporate information assets because it provides evidence of how you manage information and meet legal obligations,  ensuring that information remains safe and secure at all times.

With ISO 27001 you can be confident that you have implemented best-practice security practices which will help you to improve resilience – protecting information assets from being lost, stolen or corrupted. The Standard will also help you to manage your ongoing commitments when it comes to remaining compliant with the GDPR because it is strongly focused on continual improvement, helping you to increase customer confidence through the practice of reviewing and improving your ongoing information security processes.

What next?

If you’re concerned about your data handling processes and would like to align your systems with the requirements of the GDPR, you should consider the GDPR Readiness Assessment offered by QMS. During the Readiness Assessment you will benefit from training, a Data Protection Impact Assessment (DPIA), a Gap Analysis, guidance on Data Mapping and access to a library of document templates.

To find out more or to speak with a QMS Advisor, please call 0333 344 3646 or alternatively you can try our online fee calculator.