Comply with the technical and organisational measures of the GDPR
The GDPR requires organisations to implement technical and organisational measures to mitigate the risk of a data breach. In this respect, ISO 27001 provides an excellent starting point – an organisation that is already ISO 27001-certified has already done half the work required to achieve GDPR compliance.
Does the GDPR offer guidance for avoiding a data breach?
Article 32 of the GDPR instructs organisations to, as appropriate:
- Pseudonymise and encrypt personal data;
- Assure the ongoing confidentiality, integrity and availability of your data, as well as the resilience of your processing systems and services;
- In the event of an incident, prepare to restore the availability and access to personal data in a timely fashion;
- Implement a regular testing process to evaluate the effectiveness of technical and organisational controls that have been implemented to safeguard the security of processing; and
- Identify and mitigate all risks to personal data of accidental or unlawful destruction, loss, alteration, etc.
An ISO 27001 ISMS (information security management system) typically meets all the above requirements.
With its accountability and privacy by design requirements, as well as its stipulation of the need to implement policies and processes, it is practically impossible to comply with the GDPR without implementing some form of framework – such as an ISMS. Article 32 of the Regulation is distinctly lacking in guidance as to how to achieve appropriate security, so the GDPR advises organisations to adopt existing best practices to minimise the risk of a data breach.
Given its international reputation as the best-practice standard for information security management, ISO 27001 is clearly an appropriate starting point for any organisation seeking to properly manage its information security risks.
How ISO 27001 works
- An ISMS is a framework of policies, processes and technology that enables you to manage, monitor, assess and ameliorate your information security risks in one central system, ensuring both consistency and cost-effectiveness.
- An ISO 27001-aligned ISMS covers all your information assets, including your corporate information, intellectual property and personal data.
- Compliance with ISO 27001 means you are on top of your information risks, using a programme of regular testing and review.
- ISO 27001 provides guidance for implementing suitable measures to mitigate identified risks, which will help you meet the GDPR’s requirements.
- An ISO 27001 ISMS will enable your organisation to better comply with the GDPR’s privacy by design requirements by promoting an organisation-wide culture and awareness of information security, making data protection part of ‘business as usual’.
- Certifying to ISO 27001 provides independent assurance to clients, stakeholders and regulators that your ISMS has been properly tested and reviewed in accordance with internationally recognised best practice, and that you have taken appropriate measures to comply with the GDPR’s security requirements.
Why technical measures alone are insufficient for GDPR compliance.
No matter how state of the art, or how many layers of technology you implement, technical controls alone are insufficient to prevent a data breach. Here’s why:
- Your threat surface includes people, processes and technology – implementing technical controls alone cannot possibly provide comprehensive cover.
- Staff and inadequate processes are the most common causes of data security failures.
- ISO 27001 compliance requires an organisation-wide commitment – not just an IT effort.
- No matter how well thought out, the best information security plans cannot succeed without the commitment of the entire organisation.
- As the threat landscape constantly changes and your business evolves, ISO 27001 helps you stay on top of the latest threats through a process of continually improving your ISMS.
- In order to be effective, controls need to be properly managed. The best way to do this is by implementing a management system.
- ISO 27001 certification provides your organisation with external expert evaluation of the effectiveness of your information security management.
GDPR compliance with ISO 27001
It is more cost-effective to comply with the GDPR than to ignore it. An ISO 27001 ISMS can help you achieve GDPR compliance in a cost-effective manner. Browse our free resources to learn more about how ISO 27001 can aid your journey to compliance.
While ISO 27001 provides a robust starting point for GDPR compliance, the GDPR stipulates further requirements that are not covered in ISO 27001. These would require a privacy framework instead – such as BS 10012:2017, which stipulates best practice for a PIMS (personal information management system). IT Governance recommends organisations adopt both standards to form an integrated data privacy and information security management system that ensures a comprehensive regime of compliance.
Let’s work together to get things moving
Whatever the nature or size of your problem, we are here to help. Click the button below to request a call and one of our experts will get in touch to help you establish an effective compliance regime as soon as possible.