May 25th, 2018, struck terror into the hearts of those who had ignored the General Data Protection Regulation (GDPR).
On that date the EU Regulations came into force, carrying eye-watering fines for gross offenders in protecting the sensitive personal data of EU Citizens (see table below).
The media may have lost interest, but your obligations regarding data protection under the Regulations have remained and continued. Perhaps now, seven years down the line, is a good time to 'take stock'?
|
Largest GDPR Fines Imposed Due to Data Breaches and Privacy Violations (2024) |
|||
| Company | Amount | Regulatory Body | Reason for the Fine |
| Meta | €1.2 billion ($1.25 billion) | DPC Ireland | Transferring personal data of European users to the United States without adequate data protection mechanisms |
| Amazon |
€746 M
($777 million)
|
CNDP Luxemburg | Processing of personal data of its customers with infringements regarding Amazon’s advertising targeting system carried out without proper consent. |
|
Meta
|
€405 million
$422 million
|
DPC Ireland |
Processing children’s personal data without following the legal bases of performance of a contract and legitimate interest. |
| Meta |
€390 million
$406 million
|
DPC Ireland | Terms of Service for Facebook and Instagram users were enforced, by changing the legal basis from consent to contract for most of its processing activities. |
|
TikTok
|
€345 million
$359 million
|
DPC Ireland |
Violations concerned with platform settings, age verification, and communication with child users. |
|
LinkedIn
|
€310 million
$323 million
|
DPC Ireland | Misuse of user data for behavioral analysis and targeted advertising. |
|
Uber
|
€290 million
$303 million
|
DPA Netherlands | Improperly transferring the personal data of European taxi drivers to the United States. |
|
Meta
|
€265 million
$277 million
|
DPC Ireland | Disclosure of the personal data (phone numbers and email addresses) of 533 million users, without authorization. |
|
WhatsApp
|
€225
$235 million
|
DPC Ireland | Infringement of transparency requirements |
|
Google
|
€90 million
$94 million
|
CNIL France | inability to allow YouTube users in France to refuse cookies as easily as they could accept them. |
Data retrieved December 27, 2024.
Who Should Worry About the GDPR?
Most B2B organizations have little to worry about, provided they get the basics right. And getting the basics right requires that some documentation be generated to demonstrate compliance with the Regulations.
However, organizations with large volumes of customers (and prospective customers), suppliers, and staff data have a significant problem. It is about more than developing policies but the resources required to implement them (money, effort, and time). But that's not what we are discussing here.
How to Document GDPR and ISO 27001 Compliance
After the release of our ISO 27001 Course on implementing an Information Security Management System (ISMS), we were asked for advice regarding the relationship between GDPR documentation and ISO 27001 documentation. There are three basic options (or strategies) to choose from when documenting GDPR and ISO 27001 compliance, namely:
- Keep the GDPR documentation entirely separate from the ISMS and its documents,
- Fully integrate the regulatory requirements into your ISMS Documents or
- Keep GDPR Documents separate from and cross-referenced to ISMS Documents.
Option 1: Keep the GDPR documentation entirely separate from the ISMS and its documents,
The GDPR is a regulatory requirement involving data that must be kept secure, and ISO 27001 Clause 4.1, and ISO 27001 Annex A Control 5.34, Privacy and the Protection of Personally Identifiable Information (PII), require that it be included in the ISMS Scope. What then of Option 2?
Option 2: Fully integrate GDPR requirements into your ISMS Documents
At first glance, this popular choice makes much sense – integrated internal audits, for example.
But stop and think for a moment.
There are 35 headings in GDPR where you are subject to inspection by your national Data Protection Authority.
If subjected to an inspection, do you want to be ‘digging’ through documents and records to provide the documentary evidence an inspector will require? At best, you and your organization will appear disorganized and, at worst, give an inadequate account of your state of compliance.
Click on the image on the left to see the table in full size or click the button on the right to see the full GDPR Advanced course
Option 3: Keep GDPR Documents separate from and cross-referenced to ISMS Documents.
This is our preferred choice – separate sets of documentation with comprehensive cross-referencing. You will still be able to do a combined internal audit. In addition to making it easy to present evidence to a Data Protection Inspector, you will also be ready to add ISO 27701 requirements for processing personal data to your ISMS.
Note: The previous announcement of an accredited EU-sponsored Certification Scheme for GDPR compliance has yet to come to anything, and the existence of ISO 27701 makes it very unlikely that it will ever be revived.
Certification to ISO 27701 will provide objective evidence to be produced in a court of law affirming an organization’s best efforts to comply fully with GDPR and thus is likely to be a popular choice.
Click on the image on the left to see the table in full size, or click on the button on the right to see our GDPR Foundation Course.
Conclusion - do an audit against GDPR Requirements soon
Whether maintaining your own ISMS or availing the service of an ISO 27001 Consultant, you'll need to consider documenting GDPR and ISO 27001 compliance before making a recommendation. Keeping GDPR documents separate but cross-referenced to ISMS documents is the best choice, making things as easy as possible now and in the future.
GDPR Compliance Documentation Checklist
If you're ready to start documenting your organization's GDPR compliance but need help figuring out where to start, here's a 19-page GDPR compliance documentation checklist to help you get things started. Just click on the image below to get a copy.
Click on this GDPR Compliance Audit image to get your copy of the checklist
Related Courses
Related Articles
- Information Security Standards other than ISO 27001
- Free ISO 27001 Implementation Handbook (100+ pages)
deGRANDSON Global is an ISO Certified Educational Organization
In October 2021, we secured certification to three education-related ISO Standards. We now have a university-grade management system in place conforming to the requirements of …
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a ‘university grade’ standard globally used by schools, colleges, and universities to demonstrate competence.
We provide Courses for ISO 901, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Risk Management, Data Protection, and more.