The GDPR (General Data Protection Regulation), love it or hate it, has enforced the use of the principles of privacy pragmatically and demonstrably. Any organization that does not adhere to the rules of the GDPR comes under the watchful eye of the regulators. A privacy violation under the terms of the GDPR results in heavy fines, the shame of being disrespectful of customer privacy, and potentially, lost business.
GDPR hitting companies where it hurts most
The GDPR enforcement tracker collates fines issued since the GDPR came into force. The current cumulative fines, as of June 2021, stand at € 283,810,583. Looking at the two top reasons for the fines provides insight into where the meeting of GDPR compliance is most challenging:
- Insufficient legal basis for data processing (253 fines)
- Insufficient technical and organisational measures to ensure information security (147 fines)
What can an organization infer from these reasons for GDPR fines? Firstly, an organization cannot circumvent the GDPR requirements by making bold claims about having a legal basis to process data, and secondly, you need to make sure your organization uses robust security. Both challenges are easier said than done. So any helping hand to meet GDPR compliance and avoid those hefty fines is welcome. This is where the ISO 27001 standard comes in.
Getting your GDPR act together is a challenge. The regulation is nuanced and complex and applying the principles of the GDPR can be technically challenging. Fortunately, a well-known security standard ISO 27001 comes to the rescue.
What is ISO 27001?
ISO 27001 is the international standard for information security that was originally developed back in 2005. It’s best-practice approach helps organisations manage their information security through the people, processes, and technology.
The standard sets out the processes and measures that help an organization define its Information Security Management System (ISMS) to protect against data breaches.
An ISMS is a set of standards that a company uses to
- Identify the risks that exist for the information
- Set objectives on what needs to be achieved with information security
- Identify the stakeholders and their expectations of the company’s information security
- Determine safeguards to meet expectations and minimise risk
- Continuously measure to ensure performance is as expected
The ISO 27001 Standard Certification is recognised worldwide and indicates that your organisation is aligned with best practices regarding information security.
The overarching framework of the ISO 27001 defines several areas that map closely to the requirements of the GDPR:
ISO 27001 is about delivering security across all information assets. This, by definition, will include personal data. The GDPR has specific requirements on the protection of personal data that require an organization to implement “appropriate technical and organizational measures” to process personal data securely. These technical measures are discussed in Article 32 of the GDPR and include the appropriate use of:
- the pseudonymization and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
ISO 27001 certification will demonstrate the above processes are in place and working. ISO 27001 certification also, importantly, demonstrates that an organization has gone through a process to secure information across its systems to ensure confidentiality, integrity, availability and resilience.
People, processes, and technology
The protection of data is a complex web of interrelated and connected areas. By applying the tenets of ISO 27001, people, process, and technology, you ensure that data is protected across the entire threat landscape: this includes social engineering as well as technical exploits. This maps well with the GDPR requirements for Privacy by Design and Default.
Testing and audits
ISO 27001 requires regular testing of an organization’s ISMS. This is in line with GDPR expectations on continued audit to demonstrate security and privacy fit. The expansion of ISO 27001 to include ISO 27701 also provides advisories on how to deliver a DPIA (Data Privacy Impact Assessment), a requirement of the GDPR.
The security landscape is one of change; both internal and external security risks change over time. ISO 27001 provides a framework to monitor, update, and review the ISMS to ensure adaptation to risk.
Accountability is a key principle of the GDPR, and compliance to requirements must be demonstrable. Key persons are responsible for communicating any compliance issues and privacy violations. ISO 27001 provides a structure that develops a culture of security from the top down. By creating this culture, natural lines of governance are created to help comply with the accountability and governance requirements of the GDPR.
ISO 27001 certification provides an organization with the security and privacy framework needed to help meet GDPR compliance. However, ISO 27001 is a more general and broader scope standard than GDPR, covering all critical company data, including personal data.
GDPR, however, being focused on personal data privacy has several data subject rights that are outside the remit of ISO 27001:
- Erasure: the right to be forgotten lets a data subject request that their personal data be deleted.
- Data portability: Data subjects have the right to request the transfer of their data from one system to another.
- Consent: The data subject has the right to know how their data is processed and have the right to withdraw consent
ISO 27701 and GDPR
Since 2005, ISO 27001 has had several revisions, including a 2019 addition, ISO/IEC 27701:2019, that adds privacy guidance. This new addition to ISO 27001 adds guidance on implementing a Privacy Information Management System (PIMS). This guidance includes advice on the implementation of the standard by PII controllers and PII processors, including when performing Privacy Impact Assessments (PIA), and implementing the principles of Privacy by Design, something closely aligned to the GDPR.
If an organization includes certification to include the ISO 27001 expansion, ISO 27701, they will be able to demonstrate compliance with more privacy-specific data processing requirements including:
- Purpose of the data processing;
- Legal basis to process data;
- Consent lifecycle management;
- Privacy impact assessment;
- And, data subject rights such as data access, correction, erasure, and automated decision making.
Committing to security – why certify?
Importantly, the GDPR recognizes that organizations certified to standards such as ISO 27001 and ISO 27701, show a commitment to security and privacy. Also, when a Data Protection Officer (DPO) helps to implement your privacy programme, they will refer to definitions from information security standards such as ISO 27001. Achieving ISO 27001 certification demonstrates that an organization has been through an external assessment of its information security posture and that the security measures implemented are operational and effective. If the worst happens and a GDPR violation occurs, this demonstrable commitment to security will go towards mitigating the impact during regulatory enforcement.
What is an ISMS?
The way forward?
Fortunately, there are very helpful tools available to set you on course for ISO 27001 compliance, such as our ISO 27001 Navigator platform. We also offer additional advice and consultancy around the implementation of the standard. If you would like to understand more about how certification to ISO 27001 and compliance with the GDPR will benefit your organisation, fill out the form below and we’ll get in touch as soon as possible.