News & Commentary on ISO Management System Standards

    Documenting compliance with GDPR and ISO 27001: the Best Strategy

    Managing privacy settings in accordance to the GDPR

    May 25th, 2018, struck terror into the hearts of those who had ignored the General Data Protection Regulation (GDPR).

    These EU Regulations came into force in 2018, carrying eye-watering fines for gross offenders in protecting the sensitive personal data of EU Citizens.

    The media may have lost interest, but your obligations regarding data protection under the Regulations have remained and continued.  Perhaps now, four years down the line, is a good time to 'take stock'?

    Largest GDPR Fines Imposed Due to Data Breaches and Privacy Violations (2020-21)

    Company Year Amount  Regulatory  Body Reason for the Fine
    Amazon.com Inc 2021 €746 M ($888 M) CNPD " Processing personal data in violation of the GDPR"
    WhatsApp 2021

    €225 M ($255M)

    IDPC "The fine relates to an investigation which began in 2018, about whether WhatsApp had been transparent enough about how it handles information."
    Google LLC 2021

    €150 M ($169 M)

    CNIL " because users of google.fr and youtube.com can't refuse or accept cookies as easily."
    Google LLC 2020

    €100 M

    ($111.46 M)

    CNIL " for having placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information"
    H&M 2020 €35.3 M Hamburg DPA "extensive recording of details about their (employees) private lives"
    Amazon Europe 2020 €35 M CNIL " for having placed advertising cookies on users’ computers, from the page amazon.fr, without obtaining prior consent and without providing adequate information."
    TIM S.p.A. 2020  €27.8 M Italian SA  "unlawful processing for marketing purposes."
    British Airways 2019

    £20 M

    ($26 M)

    ICO "failing to protect the personal and financial details of more than 400,000 of its customers"
    Marriott International Inc 2020 £18.4M ICO " for failing to keep millions of customers’ data secure."
    Wind Tre SpA  2020

    €17 M

    ($20 M)

    Italian SA "several instances of unlawful personal data processing that were mostly related to marketing."

    Data retrieved March 04, 2022

    Who Should Worry About the GDPR?

    Most B2B organizations have little to worry about, provided they get the basics right. And getting the basics right requires that some documentation be generated to demonstrate compliance with the Regulations.

    However, organizations with large volumes of customers (and prospective customers), suppliers, and staff data have a significant problem. It is about more than developing policies but the resources required to implement them (money, effort, and time). But that's not what we are discussing here.

    How to Document GDPR and ISO 27001 Compliance

    After the release of our ISO 27001 Course on implementing an Information Security Management System (ISMS), we were asked for advice regarding the relationship between GDPR documentation and ISO 27001 documentation.  There are three basic options (or strategies) to choose from when documenting GDPR and ISO 27001 compliance, namely:

    1. Keep the GDPR documentation entirely separate from the ISMS and its documents,
    2. Fully integrate the regulatory requirements into your ISMS Documents or
    3. Keep GDPR Documents separate from and cross-referenced to ISMS Documents.


    Available ISO 27001 Training Courses Image Map


    ISO 27001 Course Image Map. Click on the course you are interested in to learn more about them, or click this link to the ISO 27001 overview page.

    Option 1: Keep the GDPR documentation entirely separate from the ISMS and its documents,

    The GDPR is a regulatory requirement involving data that must be kept secure, and ISO 27001 Clause 4.1, and ISO 27001 Annex A Control 5.34, Privacy and the Protection of Personally Identifiable Information (PII), require that it be included in the ISMS Scope.  What then of Option 2?

    Option 2:  Fully integrate GDPR requirements into your ISMS Documents

    At first glance, this popular choice makes much sense – integrated internal audits, for example. 

    But could you think a moment? 

    There are 35 headings in GDPR where you are subject to inspection by your national Data Protection Authority. 

    If subjected to an inspection, do you want to be ‘digging’ through documents and records to provide the documentary evidence an inspector will require?  At best, you and your organization will appear disorganized and, at worst, give an inadequate account of your state of compliance. 


    CTA button showing a preview of what learners can learn from deGRANDSON's EU GDPR Advanced Course for Data Protection Officers  

    Click on the image on the left to see the table in full size or click the button on the right to see the full GDPR Advanced course

    Option 3: Keep GDPR Documents separate from and cross-referenced to ISMS Documents.

    This is our preferred choice – separate sets of documentation with comprehensive cross-referencing.  You will still be able to do a combined internal audit. In addition to making it easy to present evidence to a Data Protection Inspector, you will also be ready to add ISO 27701 requirements for processing personal data to your ISMS.

    Note: The previous announcement of an accredited EU-sponsored Certification Scheme for GDPR compliance has yet to come to anything, and the existence of ISO 27701 makes it very unlikely that it will ever be revived.

    Certification to ISO 27701 will provide objective evidence to be produced in a court of law affirming an organization’s best efforts to comply fully with GDPR and thus is likely to be a trendy choice.



    Click on the image on the left to see the table in full size, or click on the button on the right to see our GDPR Foundation Course.


    Conclusion - do an audit against GDPR Requirements soon

    Whether maintaining your own ISMS or availing the service of an ISO 27001 Consultant, you'll need to consider documenting GDPR and ISO 27001 compliance before making a recommendation.  Keeping GDPR documents separate but cross-referenced to ISMS documents is the best choice, making things as easy as possible now and in the future.

    GDPR Compliance Documentation Checklist

    If you're ready to start documenting your organization's GDPR compliance but need help figuring out where to start, here's a 19-page GDPR compliance documentation checklist to help you get things off the ground. Just click on the image below to get a copy.


    Free Sample GDPR Compliance Audit form

    Click on this GDPR Compliance Audit image to get your copy of the checklist

    Note: First posted in March 2018; revised and updated in December 2022.

    Related Courses

    Related Articles

    deGRANDSON Global is an ISO Certified Educational Organization

    New call-to-actionIn October 2021, we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

    • ISO 21001, Educational Organizational Management System,
    • ISO 29993, Learning Services outside formal Education,  and
    • ISO 29994, Learning Services – additional requirements for Distance Learning.

    We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard globally used by schools, colleges, and universities to demonstrate competence.



    Written by Dr John FitzGerald

    Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
    Find me on:

    Subscribe to Email Updates

    Recent Posts