Documenting compliance with GDPR and ISO 27001: the Best Strategy

Managing privacy settings in accordance to the GDPRMay 25th, 2018 was a date that struck terror into the hearts of those who had ignored the General Data Protection Regulation (GDPR).

These EU Regulations came into force in 2018, and they carry eye-watering fines for gross offenders in protecting the sensitive personal data of EU Citizens.

The media may have lost interest, but your obligations regarding data protection under the Regulations have not gone away or diminished.  Perhaps now, four years down the line, is a good time to 'take stock'?

Largest GDPR Fines Imposed Due to Data Breaches and Privacy Violations

Company Year Amount  Regulatory  Body Reason for the Fine
Amazon.com Inc 2021 €746 M ($888 M) CNPD "Processing personal data in violation of the GDPR"
WhatsApp 2021

€225 M ($255M)

IDPC "The fine relates to an investigation which began in 2018, about whether WhatsApp had been transparent enough about how it handles information."
Google LLC 2021

€150 M ($169 M)

CNIL "because users of google.fr and youtube.com can't refuse or accept cookies as easily."
Google LLC 2020

€100 M

($111.46 M)

CNIL "for having placed advertising cookies on the computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information"
H&M 2020 €35.3 M Hamburg DPA "extensive recording of details about their (employees) private lives"
Amazon Europe 2020 €35 M CNIL "for having placed advertising cookies on users’ computers, from the page amazon.fr, without obtaining prior consent and without providing adequate information."
TIM S.p.A. 2020  €27.8 M Italian SA  "unlawful processing for marketing purposes."
British Airways 2019

£20 M

($26 M)

ICO "failing to protect the personal and financial details of more than 400,000 of its customers"
Marriott International Inc 2020 £18.4M ICO "for failing to keep millions of customers’ personal data secure."
Wind Tre SpA  2020

€17 M

($20 M)

Italian SA "several instances of unlawful data processing that were mostly related to marketing"

Data retrieved March 04, 2022

Who Should Worry About the GDPR?

Most B2B organizations have little to worry about, provided they get the basics right. And getting the basics right requires that some documentation be generated to demonstrate compliance with the Regulations.

Organizations with large volumes of customers (and prospective customers), suppliers and staff data do have a significant problem, though. It is not so much regarding developing policies but in terms of the resources required to implement them (money, effort and time). But that's not what we are discussing here.

How to Document GDPR and ISO 27001 Compliance

After the release of our ISO 27001 Course on implementing an Information Security Management System (ISMS), we were asked for advice regarding the relationship between GDPR documentation and ISO 27001 documentation.  There are three basic options (or strategies) to choose from when documenting GDPR and ISO 27001 compliance, namely:

  1. Keep the GDPR documentation entirely separate from the ISMS and its documents,
  2. Fully integrate the regulatory requirements into your ISMS Documents, or
  3. Keep GDPR Documents separate from, and cross-referenced to, ISMS Documents.


Full list of ISO 27001 auditor training and certification courses that deGRANDSON offers including purpose and duration (600x600 version).


ISO 27001 Course Image Map. Just click on the course that you are interested in to learn more about them or you can click on this link to go to the ISO 27001 overview page.


Option 1: Keep the GDPR documentation entirely separate from the ISMS and its documents,

The GDPR is a regulatory requirement involving data that must be kept secure and ISO 27001 Clause 4.1, and ISO 27001 Annex A.8.2.1 and A.18.1 (all of it) requires that it be included in the ISMS Scope.  What then of Option 2?

Option 2:  Fully integrate GDPR requirements into your ISMS Documents

This is a popular choice at first glance seems to make a lot of sense – integrated internal audits, for example. 

But think a moment. 

There are 35 headings in GDPR where you are subject to inspection by your national Data Protection Authority. 

If subjected to an inspection, do you really want to be ‘digging’ through documents and records to provide the documentary evidence an inspector will require?  At best you and your organization will appear disorganized and, at worst, will give an inadequate account of your state of compliance. 



Click on the image on the left to see the table in full size or click on the button on the right to see our GDPR Advanced Course

Option 3: Keep GDPR Documents separate from and cross-referenced to ISMS Documents.

This is our preferred choice – separate sets of documentation with comprehensive cross-referencing.  You will still be able to do a combined internal audit and in addition to making it easy to present evidence to a Data Protection Inspector, you will also be ready to add ISO 27701 requirements for the processing of personal data to your ISMS.

Note: The previous announcement of an accredited EU-sponsored Certification Scheme for GDPR compliance has come to nothing, and the existence of ISO 27701 makes it very unlikely that it will ever revive.

Certification to ISO 27701 will provide objective evidence to be produced in a Court of Law affirming an organization’s best efforts to fully comply with GDPR, and thus is likely to be a very popular choice.



Click on the image on the left to see the table in full size or click on the button on the right to see our GDPR Foundation Course


Conclusion - do an audit against GDPR Requirements soon

Whether maintaining your own ISMS or you're availing the service of an ISO 27001 Consultant, you'll need to think hard about documenting GDPR and ISO 27001 compliance before making a recommendation.  For us, keeping GDPR documents separate, but cross-referenced to ISMS documents, is the best choice making things as easy as possible now and in the future.

GDPR Compliance Documentation Checklist

If you're ready to start documenting your organisation's GDPR compliance but you're not sure where to start, here's a 19-page GDPR compliance documentation checklist to help you get things off the ground. Just click on the image below to get a copy.


Free Sample GDPR Compliance Audit form

Click on this GDPR Compliance Audit image to get your copy of the checklist

Note: First posted in March 2018; revised and updated in December 2022.

Related Courses

Related Articles

deGRANDSON Global is an ISO Certified Educational Organization

New call-to-actionIn October 2021 we secured certification to three education-related ISO Standards.  We now have a university-grade management system in place conforming to the requirements of  …

  • ISO 21001, Educational Organizational Management System,
  • ISO 29993, Learning Services outside formal Education,  and
  • ISO 29994, Learning Services – additional requirements for Distance Learning.

We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which in our opinion are commercially compromised), it is based on independent third-party assessment.  It is a ‘university grade’ standard in use globally by schools, colleges, and universities to demonstrate their competence.



Written by Dr John FitzGerald

Director & Founder of deGRANDSON Global. Spent 15 years in the manufacturing industry and 25 years training, consulting & auditing management systems
Find me on:

Subscribe to Email Updates

Recent Posts