The EU’s General Data Protection Regulation (GDPR) should, by now, need little introduction. It should be widely understood that it represents a new paradigm for data protection that requires organisations to uphold defined principles of data protection and to protect a set of rights for data subjects. The GDPR will also assert some impressively “effective, proportionate and dissuasive” fines for businesses that fail to uphold these principles and protect these rights.
Businesses throughout Europe and around the world will be interested in protecting themselves and the data they hold, if not to avoid the fines then to ensure continued access to one of the world’s largest markets. For those businesses, understanding how to comply with the Regulation is critical.
What does the GDPR provide for businesses?
The Regulation provides a long set of requirements for businesses and regulators that essentially form a set of parameters within which organisations need to operate in order to uphold the principles and protect rights. Understanding these parameters and ensuring the organisation meets them is merely the beginning of the struggle, however: organisations must also ensure that compliance is not a snapshot event, but a persistent state. At the very least, they should recall that a single data breach could bring down the wrath of the EU’s supervisory authorities.
There are repeated references throughout the Regulation to the requirement for “technical and organisational measures” to ensure compliance with measures relevant to the context of the business. That is, the EU knows that it cannot define a set of specific measures that will apply to all businesses, and so it relies upon the organisation to identify these measures for itself. In order to demonstrate compliance, businesses need to be able to show not only that these technical and organisational measures are in place, but that they are appropriate to the organisation, the personal data it holds or processes, the technologies it uses, and the risks it faces. Furthermore, they need to be able to do so on an ongoing basis.
How does ISO 27001 certification help with GDPR compliance?
Several supervisory authorities across Europe have already highlighted ISO 27001 as a model of best practice that will provide good evidence of an intent and effort to comply. What this means is that an organisation with a certified ISO 27001 ISMS (information security management system) is seen as taking an appropriate approach to protecting personal data in line with the GDPR, and thus is likely to be treated with greater mercy in the event of a data breach.
ISO 27001 should actually be seen as an excellent approach to compliance with data protection and privacy legislation generally, as it requires the business to recognise the “needs and expectations of interested parties”, which include customers, the public, partners and regulatory bodies, and “may include legal and regulatory requirements and contractual obligations”. A business with an effective, ISO 27001-aligned ISMS must, by definition, meet the requirements of the GDPR.
Furthermore, a business with an ISMS that has been certified by an accredited certification body has good evidence that it is in compliance with the GDPR (and any other relevant laws and regulations). This is the purpose of external validation, and gives it a considerable edge over self-certification schemes.
ISO 27001 not only addresses the need to comply with legislation through a systematic set of policies and processes, it also offers a reference set of controls. These controls, while they may not be exhaustive, can be readily leveraged to provide appropriate “technical and organisational measures”, as required by the GDPR.
ISO 27001 uses risk assessments to identify the necessary controls, which ties in well with the GDPR’s stipulations regarding risk management and data protection impact assessments. The Regulation’s requirement to mitigate the risks to rights and freedoms of data subjects, for instance, can be managed within an ISO 27001 risk assessment, with controls potentially drawn from the Standard’s reference controls (or from any other source).
Of course, this is all very easy to talk about and very easy to get excited about, but implementing an ISMS can be a bewildering process, especially if the organisation has little experience with formalised management systems.
Why implement a management system?
A management system operates on the principle that a set of defined practices can be followed, repeatedly, in order to ensure consistent behaviour in line with the organisation’s requirements. In the case of an ISMS, these practices relate to the protection of information, and are developed in accordance with the organisation’s position, which is normally stated in a policy.
As the organisation develops all of the necessary practices, it becomes apparent that the whole system is heavily interlinked and that there needs to be an awareness of the management system’s needs at both the macro and micro scale. That is, the organisation needs to understand how all of the policies, procedures and records interact on a grand scale just as much as the organisation needs the detail to be precise, effective and replicable. For many organisations, developing this framework, filling in all of the details, and documenting the whole intricate lattice of processes is daunting. But – as we established earlier – the GDPR means that organisations can no longer put off data protection and privacy.
In fact, with the 25 May 2018 compliance deadline fast approaching, businesses would do well to acquire resources that can streamline how they approach compliance.
Toolkits to accelerate your route to compliance
Drawing on 10 years of practitioner-led development, IT Governance Publishing has successfully supported best-practice implementation and certification for thousands of organisations worldwide that have used our pre-written, compliant templates.