May 25th, 2018 was a date that struck terror into the hearts of those who had ignored the General Data Protection Regulation (GDPR).
These EU Regulations came into force in 2018, and they carry eye-watering fines for gross offenders in protecting the sensitive personal data of EU Citizens.
The media may have lost interest, but your obligations regarding data protection under the Regulations have not gone away or diminished. Perhaps now, four years down the line, is a good time to 'take stock'?
Largest GDPR Fines Imposed Due to Data Breaches and Privacy Violations
|Company||Year||Amount||Regulatory Body||Reason for the Fine|
|Amazon.com Inc||2021||€746 M ($888 M)||CNPD||"Processing personal data in violation of the GDPR"|
€225 M ($255M)
|IDPC||"The fine relates to an investigation which began in 2018, about whether WhatsApp had been transparent enough about how it handles information."|
€150 M ($169 M)
|CNIL||"because users of google.fr and youtube.com can't refuse or accept cookies as easily."|
|CNIL||"for having placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information"|
|H&M||2020||€35.3 M||Hamburg DPA||"extensive recording of details about their (employees) private lives"|
|Amazon Europe||2020||€35 M||CNIL||"for having placed advertising cookies on users’ computers, from the page amazon.fr, without obtaining prior consent and without providing adequate information."|
|TIM S.p.A.||2020||€27.8 M||Italian SA||"unlawful processing for marketing purposes."|
|ICO||"failing to protect the personal and financial details of more than 400,000 of its customers"|
|Marriott International Inc||2020||£18.4M||ICO||"for failing to keep millions of customers’ personal data secure."|
|Wind Tre SpA||2020||
|Italian SA||"several instances of unlawful data processing that were mostly related to marketing"|
Data retrieved March 04, 2022
Who Should Worry About the GDPR?
Most B2B organizations have little to worry about, provided they get the basics right. And getting the basics right requires that some documentation be generated to demonstrate compliance with the Regulations.
Organizations with large volumes of customers (and prospective customers), suppliers and staff data do have a significant problem, though. It is not so much regarding developing policies but in terms of the resources required to implement them (money, effort and time). But that's not what we are discussing here.
How to Document GDPR and ISO 27001 Compliance
After the release of our ISO 27001 Course on implementing an Information Security Management System (ISMS), we were asked for advice regarding the relationship between GDPR documentation and ISO 27001 documentation. There are three basic options (or strategies) to choose from when documenting GDPR and ISO 27001 compliance, namely:
- Keep the GDPR documentation entirely separate from the ISMS and its documents,
- Fully integrate the regulatory requirements into your ISMS Documents, or
- Keep GDPR Documents separate from, and cross-referenced to, ISMS Documents.
ISO 27001 Course Image Map. Just click on the course that you are interested in to learn more about them or you can click on this link to go to the ISO 27001 overview page.
Option 1: Keep the GDPR documentation entirely separate from the ISMS and its documents,
The GDPR is a regulatory requirement involving data that must be kept secure and ISO 27001 Clause 4.1, and ISO 27001 Annex A.8.2.1 and A.18.1 (all of it) requires that it be included in the ISMS Scope. What then of Option 2?
Option 2: Fully integrate GDPR requirements into your ISMS Documents
This is a popular choice at first glance seems to make a lot of sense – integrated internal audits, for example.
But think a moment.
There are 35 headings in GDPR where you are subject to inspection by your national Data Protection Authority.
If subjected to an inspection, do you really want to be ‘digging’ through documents and records to provide the documentary evidence an inspector will require? At best you and your organization will appear disorganized and, at worst, will give an inadequate account of your state of compliance.
Click on the image on the left to see the table in full size or click on the button on the right to see our GDPR Advanced Course
Option 3: Keep GDPR Documents separate from and cross-referenced to ISMS Documents.
This is our preferred choice – separate sets of documentation with comprehensive cross-referencing. You will still be able to do a combined internal audit and in addition to making it easy to present evidence to a Data Protection Inspector, you will also be ready to add ISO 27701 requirements for the processing of personal data to your ISMS.
Note: The previous announcement of an accredited EU-sponsored Certification Scheme for GDPR compliance has come to nothing, and the existence of ISO 27701 makes it very unlikely that it will ever revive.
Certification to ISO 27701 will provide objective evidence to be produced in a Court of Law affirming an organization’s best efforts to fully comply with GDPR, and thus is likely to be a very popular choice.
Click on the image on the left to see the table in full size or click on the button on the right to see our GDPR Foundation Course
Conclusion - do an audit against GDPR Requirements soon
Whether maintaining your own ISMS or you're availing the service of an ISO 27001 Consultant, you'll need to think hard about documenting GDPR and ISO 27001 compliance before making a recommendation. For us, keeping GDPR documents separate, but cross-referenced to ISMS documents, is the best choice making things as easy as possible now and in the future.
GDPR Compliance Documentation Checklist
If you're ready to start documenting your organisation's GDPR compliance but you're not sure where to start, here's a 19-page GDPR compliance documentation checklist to help you get things off the ground. Just click on the image below to get a copy.
Click on this GDPR Compliance Audit image to get your copy of the checklist
Note: First posted in March 2018; revised and updated in December 2022.
- Information Security Standards other than ISO 27001
- ISO 27001 Implementation in 31 Steps
- Free ISO 27001 Implementation Handbook (100+ pages)
deGRANDSON Global is an ISO Certified Educational Organization
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.