Many organizations spent much time and money in 2018 on compliance with General Data Protection Regulation - GDPR, and not only those based in the EU. But what actions now to ensure ongoing compliance?
It’s not enough to have policies and procedures to demonstrate that you comply with requirements. If there is a data breach or similar event, you will be challenged to demonstrate how your organization has maintained compliance on a continuing basis.
ISO 27001, the information security management system (ISMS), provides a natural home for your efforts to maintain GDPR compliance. GDPR and ISO 27001 are mutually compatible - you can, for example:
If you’re not familiar with ISO 27001, get a copy and examine Annex A, which lists potential informational security vulnerabilities and controls. You’ll be surprised how often issues relating to GDPR are mentioned. You'll also find other articles we've published about ISO 27001 useful.
The Standard ISO/IEC 27701:2019, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines, provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization.
Note that ISO 27701 is an extension to ISO 27001, and, as such, it is not possible to be certified to ISO 27701 alone. Being about protecting personal data, it is invaluable to ensuring compliance with GDPR requirements and managing it all under the 'umbrella' of an ISO 27001 information security management system.
Countries and states outside the EU, like California, have or are evolving their own personal data protection legislation. In these cases, ISO 27701 again facilitates establishing, implementing, maintaining, and continually improving an ISMS by embedding personal data protection requirements, e.g., CPRA California (amendment to CCPA California) within a single ISO 27001 information security management system.
You will want to consider ISO 27001 implementation anyway in light of successful ransomware attacks, which appear to be on the increase. Taking an ISO 27001 Course will help.
An example from 2019 shows how catastrophic such an event can be. Norsk Hydro ASA (often referred to as just Hydro) is a Norwegian aluminum and renewable energy company with 35,000 personnel globally and headquartered in Oslo.
The company bravely refused to pay the ransom and lost access to all their data worldwide - personal data, financial, customer, supplier, and all business data.
They had to revert to paper with the help of retired staff to continue to supply their customers. After 6 months, they reported that the recovery was going well (note, not completed) and had cost more than US$50,000,000.
Our recommendation: Implement and maintain an ISMS, incorporating ISO 27701 Guidance (to ensure compliance with the data protection directive requirements), get certified, and, after all that, sleep a little easier at night.
Note: This post was first published in June 2019, revised and updated in November 2022.
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.