Passive compliance with GDPR won’t ‘cut it’!
Many organizations spent much time and money in 2018 on compliance with General Data Protection Regulation - GDPR, and not only those based in the EU. But what actions now to ensure ongoing compliance?
It’s not enough to have policies and procedures to demonstrate that you comply with requirements. If there is a data breach or similar event, you will be challenged to demonstrate how your organization has maintained compliance on a continuing basis.
How to Use ISO 27001 Audits to Manage GDPR Compliance
ISO 27001, the information security management system (ISMS), provides a natural home for your efforts to maintain GDPR compliance. GDPR and ISO 27001 are mutually compatible - you can, for example:
- Create Compliance Checklists for use in Internal Audits to create objective evidence, which you can use in a Court of Law, if necessary, to demonstrate ongoing efforts to confirm and maintain compliance with regulations.
- Include internal audits of personnel at their workstations, likely your greatest vulnerability, in the Internal Audit Programme and again provide objective evidence of a sincere effort to comply with regulations.
- Your Data Protection Policies and Procedures can be incorporated into your ISMS.
- Update Information Security Risk Assessments in light of incidents, breaches or changes to processes.
- Conduct Periodic reviews of operations, including any operational changes, new or changed information assets (e.g. new server), and processes (e.g. new product or service) against GDPR can be included.
If you’re not familiar with ISO 27001, get a copy and examine Annex A, which lists potential informational security vulnerabilities and controls. You’ll be surprised how often issues relating to GDPR are mentioned. You'll also find other articles we've published about ISO 27001 useful.
What value does ISO 27701 add to your company's information security?
The Standard ISO/IEC 27701:2019, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines, provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
Note that ISO 27701 is an extension to ISO 27001 and, as such, it is not possible to be certified to ISO 27701 alone. Being about protecting personal data it is invaluable to ensuring compliance with GDPR requirements and managing it all under the 'umbrella' of an ISO 27001 information security management system.
What if California Privacy Rights Act (CPRA) or other international personal data protection legislation applies?
Countries and states outside the EU, like California, have or are evolving their own personal data protection legislation. In these cases, ISO 27701 again facilitates establishing, implementing, maintaining and continually improving an ISMS by embedding personal data protection requirements, e.g. CPRA California (amendment to CCPA California) within a single ISO 27001 information security management system.
Why a Multi-layered approach to Information Security is Important
An example from 2019 shows how catastrophic such an event can be. Norsk Hydro ASA (often referred to as just Hydro) is a Norwegian aluminium and renewable energy company, with 35,000 personnel globally and headquartered in Oslo.
The company bravely refused to pay the ransom and lost access to all their data worldwide - personal data, financial, customer, supplier and all business data.
They had to revert to paper with the help of retired staff to continue to supply their customers. After 6 months, they reported that the recovery was going well (note, not completed) and had cost more than US$50,000,000.
Our recommendation: Implement and maintain an ISMS, incorporating ISO 27701 Guidance (to ensure compliance with the data protection directive requirements), get Certified and, after all that, sleep a little easier at night.
Note: This post was first published in June 2019, revised and updated in November 2022.
- Documenting GDPR and ISO 27001: What's the Best Strategy
- Free ISO 27001 Implementation Handbook (100+ pages)
- ISO 27001 Implementation in 31 Steps
- Navigating the fifty-six ISO 27000 Series of Standards
deGRANDSON Global is an ISO Certified Educational Organization
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.