You might have heard, that GDPR is coming?
Of course you have, and it would be very difficult not to have heard about GDPR as it almost resembles the good old Y2K days (if you are old enough to remember those days).
With GDPR it seems to be a lot of common sense and as the ICO says “Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act (DPA), so if you are complying properly with the current law, then most of your approach to compliance will remain valid under the GDPR”.
Then again if you are not complying with the current DPA, maybe now is the time to be getting slightly nervous as well. One of the reasons, GDPR has everyone’s attention, is to do with the potential fines, if you are found to be non-compliant with GDPR you might “be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher”.
So perhaps now is a good time to start the work to make sure, you will be compliant come May 2018 (25 May 2018 to be precise). The good news is, that if you have ISO 27001 in place, you have already done a lot of the work.
Does GDPR even apply?
First step is to determine, if GDPR applies?
The GDPR applies to ‘controllers’ and ‘processors’. The definitions are broadly the same as under the DPA – i.e. the controller says how and why personal data is processed and the processor acts on the controller’s behalf. If you are currently subject to the DPA, it is likely, that you will also be subject to the GDPR.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have significantly more legal liability, if you are responsible for a breach. These obligations for processors are a new requirement under the GDPR.
However, if you are a controller, you are not relieved of your obligations, where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
Like the DPA, the GDPR applies to ‘personal data’. However, the GDPR’s definition is more detailed and makes it clear, that information such as an online identifier – e.g. an IP address – can be personal data. The more expansive definition provides for a wide range of personal identifiers to constitute personal data, reflecting changes in technology and the way organisations collect information about people.
For most organisations, keeping HR records, customer lists, or contact details etc., the change to the definition should make little practical difference. You can assume, that if you hold information that falls within the scope of the DPA, it will also fall within the scope of the GDPR.
How can ISO 27001 help with GDPR compliance?
So, if we assume that GDPR does apply to you, how is it, that ISO 27001 can help?
- ISO 27001 is based on risk and so is GDPR therefore with ISO 27001 you have a good process for identifying and managing risks related to personal information
- Personal data would be identified as an information security asset and classified accordingly
- Encryption policies and technologies have been implemented
- Backup and retention policies have been implemented
- Procedures for Information security incident management are in place to help detect, report and investigate a personal data breach.
- You are doing regular compliance audits and management reviews
So to sum it up:
- Identify the personal information you hold
- Determine the risk associated with the personal information
- Implement mitigating controls
- Audit, review, test the effectiveness
…and the list goes on with numerous controls in ISO 27001 to help prevent a breach and to help you with the accountability principle which requires you to demonstrate that you comply with the principles and states explicitly that this is your responsibility.
For more information and help with GDPR I would highly recommend the resources available on the ICO website, and of course it might be worth considering implementing ISO 27001 if you have not done so already.
In JSC Consultant our approach is that:
- All our Senior Consultants have an extensive background in business
- They also have many years of ISO 27001 training, assessment and implementation experience
- No project is the same and hence time is spent understanding the specific situation of the client
- Projects typically include a thorough gap analysis and risk assessment as input for the system design
So, if you are considering ISO 27001 call us now (+44 (0)20 8798 9282) to discuss, how we can help you design and implement a great ISO 27001 compliant Information Security Management System and avoid all the pitfalls.
For further information that might be of interest please also see:
- What is ISO 27001, Information Security and why should you use it?
- Designing ISO 27001 for Business
- ISO 27001 Implementation Checklist
- What is ISO 27001 and why should a company adopt it?