In 2018, many organizations, not only those based in the EU, spent much time and money on compliance with the General Data Protection Regulation (GDPR).
But what actions should we take now to ensure ongoing compliance? It's not enough to have policies and procedures to demonstrate compliance with the requirements. If there is a data breach or similar event, regulators will challenge you to demonstrate how your organization has maintained compliance on a continuing basis. Here's how...
How to Use ISO 27001 Audits to Manage GDPR Compliance
ISO 27001, the information security management system (ISMS), provides a natural home for your efforts to maintain GDPR compliance. GDPR and ISO 27001 are mutually compatible - you can, for example:
- Create Compliance Checklists for Internal Audits to create objective evidence, which you can use in a Court of Law, if necessary, to demonstrate ongoing efforts to confirm and maintain compliance with regulations.
- Include internal audits of personnel at their workstations, likely your greatest vulnerability, in the Internal Audit Program, and again provide objective evidence of a sincere effort to comply with regulations.
- Your Data Protection Policies and Procedures can be incorporated into your ISMS.
- Update Information Security Risk Assessments regarding incidents, breaches, or process changes.
- Conduct periodic reviews of operations, including any operational changes, new or changed information assets (e.g., new server), and processes (e.g., new product or service), against GDPR.
If you're unfamiliar with ISO 27001, get a copy and examine Annex A, which lists potential information security vulnerabilities and corresponding controls to mitigate against them. You'll be surprised by how often issues relating to GDPR are mentioned.
What value does ISO 27701 add to your company's information security?
The Standard ISO/IEC 27701:2019, Security techniques—Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management—Requirements and guidelines, provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the organization.
Note that ISO 27701 is an extension of ISO 27001, and, as such, it is not possible to be certified to ISO 27701 alone. Because it concerns protecting personal data, it is invaluable to ensuring compliance with GDPR requirements and managing it under the 'umbrella' of an ISO 27001 information security management system.
What if the California Privacy Rights Act (CPRA) or other international personal data protection legislation applies?
Countries and states outside the EU, like California, have or are evolving their own personal data protection legislation. In these cases, ISO 27701 again facilitates establishing, implementing, maintaining, and continually improving an ISMS by embedding personal data protection requirements, e.g., CPRA (California, an amendment to CCPA), within a single ISO 27001 information security management system.
Why a Multi-layered Approach to Information Security is Important
You should consider implementing ISO 27001 anyway, given the increasing number of successful ransomware attacks. Taking an ISO 27001 auditor training course will help.
An example from 2019 shows how catastrophic such an event can be. Norsk Hydro ASA (often called just Hydro) is a Norwegian aluminum and renewable energy company with 35,000 personnel globally and headquartered in Oslo.
The company bravely refused to pay the ransom and lost access to all its data worldwide—personal, financial, customer, supplier, and all business data.
To continue supplying their customers, they had to revert to paper with the help of retired staff. After 6 months, they reported that the recovery was going well (note, not completed) and had cost more than US$50,000,000.
Our recommendation is to implement and maintain an ISMS, incorporate ISO 27701 Guidance (to ensure compliance with the data protection directive requirements), get certified, and, after all that, sleep a little easier at night.
Related Courses
deGRANDSON Global is an ISO Certified Educational Organization
In October 2021, we secured certification to three education-related ISO standards. We now have a university-grade management system that conforms to the requirements of …
We have chosen ISO 21001 certification because, unlike IRCA and Exemplar badges (which, in our opinion, are commercially compromised), it is based on independent third-party assessment. It is a 'university-grade standard' used globally by schools, colleges, and universities to demonstrate competence.
We provide Courses for ISO 9001, ISO 13485, ISO 14001, ISO 17025, ISO 27001, ISO 45001, Data Protection, Risk Management, and more.
