In 2018, many organizations, not only those based in the EU, spent much time and money on compliance with the General Data Protection Regulation (GDPR). 

But what actions should we take now to ensure ongoing compliance?  It's not enough to have policies and procedures to demonstrate that you comply with the requirements.  If there is a data breach or similar event, you will be challenged to demonstrate how your organization has maintained compliance on a continuing basis.

How to Use ISO 27001 Audits to Manage GDPR Compliance

ISO 27001, the information security management system (ISMS), provides a natural home for your efforts to maintain GDPR compliance.    PR and ISO 27001 are mutually compatible - you can, for example:

• Create Compliance Checklists for Internal Audits to create objective evidence, which you can use in a Court of Law, if necessary, to demonstrate ongoing efforts to confirm and maintain compliance with regulations.

• Include internal audits of personnel at their workstations, likely your greatest vulnerability, in the Internal Audit Programme and again provide objective evidence of a sincere effort to comply with regulations.

• Your Data Protection Policies and Procedures can be incorporated into your ISMS.

• Update Information Security Risk Assessments regarding incidents, breaches, or process changes.

• Conduct Periodic reviews of operations, including any operational changes, new or changed information assets (e.g., new server), and processes (e.g., new product or service) against GDPR can be included.

If you're unfamiliar with ISO 27001, get a copy and examine Annex A, which lists potential informational security vulnerabilities and controls.  You'll Be Surprised how often issues relating to GDPR are mentioned.  You'll find other articles we've written about ISO 27001 helpful.

What value does ISO 27701 add to your company's information security?

The Standard ISO/IEC 27701:2019, Security techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management—Requirements and guidelines, provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the organization.

Note that ISO 27701 is an extension of ISO 27001, and, as such, it is not possible to be certified to ISO 27701 alone.  Because it concerns protecting personal data, it is invaluable to ensuring compliance with GDPR requirements and managing it under the 'umbrella' of an ISO 27001 information security management system.

What if the California Privacy Rights Act (CPRA) or other international personal data protection legislation applies?

Countries and states outside the EU, like California, have or are evolving their own personal data protection legislation.  In these cases, ISO 27701 again facilitates establishing, implementing, maintaining, and continually improving an ISMS by embedding personal data protection requirements, e.g., CPRA California (amendment to CCPA California), within a single ISO 27001 information security management system.

Why a Multi-layered Approach to Information Security is Important

You should consider ISO 27001 implementation anyway in light of successful ransomware attacks, which appear to be on the increase.  Taking an ISO 27001 Course will help.

An example from 2019 shows how catastrophic such an event can be.  Norsk Hydro ASA (often called just Hydro) is a Norwegian aluminum and renewable energy company with 35,000 personnel globally and headquartered in Oslo.

The company bravely refused to pay the ransom and lost access to all its data worldwide—personal, financial, customer, supplier, and all business data. 

To continue supplying their customers, they had to revert to paper with the help of retired staff.  After 6 months, they reported that the recovery was going well (note, not completed) and had cost more than US$50,000,000.

Our recommendation is to implement and maintain an ISMS, incorporate ISO 27701 Guidance (to ensure compliance with the data protection directive requirements), get certified, and, after all that, sleep a little easier at night.

Related Articles

• Documenting GDPR and ISO 27001.  What's the Best Strategy?
• Free ISO 27001 Implementation Handbook (100+ pages)
• Navigating the fifty-six ISO 27000 Series of Standards

deGRANDSON Global is an ISO Certified Educational Organization

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment.  It is a 'university-grade standard' used globally by schools, colleges, and universities to demonstrate competence.

We provide Courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Data Protection, Risk Management, and more.