ISO 27001 is great for providing the means to protect personal data but there are aspects of GDPR – specifically the rights of personal data subjects, the right to be informed, the right to personal data being deleted and data portability – that are not covered under the standard.
This doesn’t mean that ISO 27001 is obsolete, far from it. In fact, it was mentioned at the beginning of GDPR roll out that as an internationally recognised standard, it was a significant boost to GDPR compliance to have it in place.
And here’s how;
Non-GDPR compliance is no laughing matter and comes with a huge fine. A requirement of GDPR is that a company risk assesses the risks to its privacy of the data it holds, a process that is also required by ISO 27001. Placing personal data in the high-risk category also places your risk assessment in line with GDPR.
Under ISO 27001, a company must have a list of mandatory and relevant legislative, statutory, regulatory and contractual requirements. Thus, a company already accredited under this important ISO will have to update that list to include GDPR if they operate within the EU or sell products or services to EU citizens. Even for those companies who do not need to be EU GDPR compliant, ISO 27001 holds their data policy and protection of personal data in high regard.
Under GDPR, there is a 72-hour window in which a business must notify authorities of a security breach. ISO 27001 ensures a “consistent and effective approach to the management of information security incidents, including communication on security events”. Under GDPR, the individual or individuals affected will also need to be notified. In other words, this standard sets the bar for breach notification protocol, with the GDPR rulebook strengthening it.
ISO 27001 and GDPR are on a par when it comes to asset management. A control under the standard sees personal data as an information security asset which helps organisations to understand what personal data is involved, where it is stored, how long for, it’s origin and who has access, all key requirements under GDPR.
Privacy by Design
This is another requirement under GDPR that becomes mandatory. Under this standard information is an “integral part of information systems across the entire lifecycle”. In other words, both standards dovetail but even with ISO 27001 under your belt, you still need to ensure that you are GDPR compliant.
ISO 27001 also sets out that there must be protective measures in place to protect organisation assets, including personal data that can or could be accessed by outside suppliers and organisations. Under GDPR, this arrangement needs to be formalised and meet the compliance requirements too.
But is ISO 27001 enough to meet GDPR?
On its own, this standard is not enough but successful accreditation is certainly more than halfway to GDPR compliance.
If you are not GDPR compliant, you need to act very quickly as the new set of regulations came into force on 25th May 2018.
And ISO 27001 is a fantastic standard to bolster your security practices when it comes to data, your processing and control of it.
How can we help you?
If you’re in need of assistance with any aspect of ISO or GDPR compliance, here at Synergos we’d be delighted to help. Whether you have questions about the path to compliance or are looking for advice and support to maintain compliance, call 01484 817 444 or Email firstname.lastname@example.org and we’ll be happy to talk it over with you.