One of the challenges of GDPR (the General Data Protection Regulation that comes into force in May 2018) is that organisations are left to interpret how GDPR impacts on their business and how best to comply. Many of the articles in GDPR are sufficiently vague and currently there is no standard or framework that can be implemented; much depends on how your CISO reads the legislation.
Non-compliance can result in hefty fines; fines that are significantly larger than anything currently levied by the ICO under UK data protection laws. Fortunately there is support available in the form of other certifications and standards. In fact GDPR references many of these as a way of demonstrating that an organisation is actively managing its data security. International standards and frameworks like ISO/IEC27001:2013 can help your organisation meet many of the requirements of GDPR, and use this certification to demonstrate GDPR compliance.
Why ISO 27001?
Many organisations are already ISO 27001 compliant or certified. It is the international standard for information security and provides the foundations for a robust security regime. Covering people, processes and technology, ISO 27001 is driven by having in place an Information Security Management System (ISMS), which addresses all areas of the business from business operations and strategy, to company culture.
Making use of ISO 27001 can assist an organisation to be GDPR compliant in the following key areas:
Compliance – ISO 27001 looks at all legislation and regulatory requirements a company or organisation is affected by, requiring the business to list all relevant legislative, statutory, regulatory, and contractual requirements. This control ensures that legislation such as GDPR is part of all relevant information security policies and processes implemented by the organisation to gain ISO 27001 certification.
Risk assessment – one of the requirements of GDPR is that organisations must implement Data Protection Impact Assessments. This involves understanding the threats, vulnerabilities and risks to personal data processed and stored by the business. Risk assessments are also a requirement of ISO 27001, which provides a comprehensive framework for assessing all data.
Encryption of data – GDPR also recommends the protection and encryption of personal data'. ISO 27001 outlines appropriate controls to protect data that is at risk (as part of a compliant risk assessment), including encryption as a measure that can be taken to increase security.
Breach notification – with GDPR the timeframe to notify regulatory bodies (the ICO in the UK) of a breach affecting personal data is only 72 hours. Organisations will also have to notify individuals affected if the breach poses a “high risk to data subject's rights and freedom.” Managing and detecting security incidents, and reporting them in a timely way, forms control A.16.1 (Management of information security incidents and improvements) of ISO 27001 and therefore organisations with certification will meet this GDPR requirement.
Asset management – GDPR requires that organisations have “the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. ISO 27001 covers Asset Management which includes personal data as information security assets, and addresses how to store it, how long data is kept and ensures that data is not compromised. GDPR also requires that organisations have “the ability to restore the availability in a timely manner in the event of a physical or technical incident.” This also forms part of this ISO 27001 control.
Access Control – GDPR requires that access to personal data is controlled. ISO 27001 defines requirements to address access control, how users authenticate, authorisations are applied and how users are managed through their lifecycle. Protecting data through access control needs to be done at two levels: End user access, making sure that users of systems are restricted to accessing only data relevant to their role; and Privileged access where administrators may have access to the entire application or database.
ISO 27001 does not address all GDPR requirements, however it is an excellent framework for demonstrating that a company or organisation has a security system and plan to enhance security, and thereby comply with a significant part of GDPR. Organisations that are already ISO 27001 compliant or certified should conduct a GDPR GAP analysis and enhance their security further by building on their ISMS. Those that have yet to address GDPR fully, and are not ISO 27001 compliant or certified, will find that this standard and the implementation of a comprehensive ISMS, is good a foundation for meeting GDPR compliance requirements.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.