GDPR compliance through ISO standards

GDPR: The EU GDPR (General Data Protection Regulation) regulation (EU GDPR) approved on April 14, 2016, by the European Parliament and the Council of Europe is applied directly in each of the EU countries. The GDPR is an important regulation as it allows for a consistency of rules between nations on the rights of citizens’ privacy. The salient features of the of GDPR are:

• Based on the nature and purpose of data usage, both those who determine the purpose and means of the processing of personal data (Data Controllers), and those who in turn can manage it (Data Processors) to be compliant with the EU GDPR, will have to implement organizational measures and techniques to achieve an appropriate level of data security in terms of confidentiality, integrity, availability, and resilience of the systems that support them, as well as the regular validation of the effectiveness of these measures.
• Beyond the EU companies, the EU GDPR covers companies outside of the EU that offer goods or services to EU Data Subjects (“an identified or identifiable person to whom the ‘personal data’ relates”), even if for free, or that monitor the Data Subjects’ behavior within the EU.
• By the new regulation, organizations have to minimize data collection and retention and gain consent from consumers when processing data – in other words, minimize collection of consumer data, minimize with whom data is shared, and minimize how long it is kept. The goal is that organizations only collect or store information they need for the intended purpose, particularly with regard to personal data.
• The EU GDPR has strengthened the previous directive, allowing the right to be forgotten by the personal data owners and requesting the deletion of their data by organizations, including published data on the web. The EU GDPR states that “the (…) controller shall have the obligation to erase personal data without undue delay, especially in relation to personal data which are collected when the data subject was a child, and the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.”
• In case of a personal data breach, the company will have to notify the organization responsible for this purpose, the Data Protection Authority (DPA) (“National supervisory authority, acting with complete independence, responsible for monitoring the application of data protection rules at the national level“), within 72 hours after having detected the violation. Mandatory notification of affected individuals depends on the possibility of unauthorized access to information. Notification does not need to be made to the DPA if the breach is unlikely to result in a risk to the rights and freedoms of individuals.
• If the organization is dealing with special categories of personal data on a large scale, it needs to appoint a Data Protection Officer (DPO) as part of its board.
• If these measures are not met, the penalties are high: up to € 20 million or, in case of companies, up to 4% of annual turnover, whichever is higher.

The EU GDPR require organizations to take measures to ensure the privacy of any personal data that they process. However, none of these laws provide much guidance on what those measures should look like. The ISO (the International Organization for Standardization) and the IEC (International Electrotechnical Commission) developed the standard – the ISO 27001 and ISO 27701 to provide that guidance.

ISO 27001: ISO 27001 is an information security management standard that provides detailed guidance for taking the appropriate security measures, in the form of an information security management system (ISMS), to protect an organizations business from a data breach. An ISMS is a system of processes, documents, technology and people that helps to manage, monitor, audit and improve one’s organization’s information security practices. ISO 27001 sets out the requirements for an ISMS (information security management system), a risk-based approach that encompasses people, processes and technology. Independently accredited certification to ISO 27001 provides stakeholders with assurance that data is being appropriately secured. It helps an organization manage all security processes in one place, consistently and cost-effectively. An organization will be able to implement adequate and effective security measures, based on the outcomes of a formal risk assessment, to comply with the GDPR requirements, rather than implementing controls indiscriminately to reduce data breach risks.

As ISO 27001 is a framework for information protection, the implementation of ISO 27001 promotes a culture and awareness of security incidents within an organization. The adoption of ISO standard 27001 Information Security is the basis to move towards achieving compliance with the GDPR. The employees of ISO 27001 compliant organizations are more aware and have more knowledge to be able to detect and report security incidents. Information security is not only about technology; it’s also about people and processes. The ISO 27001 standard is an excellent framework for compliance with the EU GDPR. If the organization has already implemented the ISO 27001 standard, it can be assured that the organization has undertaken fifty percent of the compliance requirements of the GDPR guidelines.

GDPR Compliance and the ISO 27001 Guarantee:

1. Assurance: The GDPR recommends the use of certification schemes such as ISO 27001 as a way of providing the necessary assurance that the organization is effectively managing its information security risks.
2. Controls and Security Framework: The GDPR stipulates that organizations should select appropriate technical and organizational controls to mitigate the identified risks. The majority of the GDPR’s data protection arrangements and controls are also recommended by ISO 27001.
3. People, processes and technology: ISO 27001 encompasses the three essential aspects of information security: people, processes and technology, which implies protecting ones business not only from technology-based risks but also other, more common threats, such as poorly informed staff or ineffective procedures.
4. Certification: The GDPR requires organizations to take the necessary steps to ensure the security controls work as designed. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether an organization has implemented adequate measures to protect the personal data.
5. Risk Assessment: ISO 27001 compliance means conducting regular risk assessmentsto identify threats and vulnerabilities that can affect information assets, and to take steps to protect that data. The GDPR specifically requires a risk assessment to ensure an organization has identified risks that can impact personal data.
6. Testing and Audits: Being GDPR-compliant means an organization needs to carry out regular testing and audits to prove that its security regime is working effectively. An ISO 27001- compliant ISMS needs to be regularly assessed according to the internal audit guidelines provided by the Standard.
7. Continuous Improvement: ISO 27001 requires that an organizations ISMS is constantly monitored, updated and reviewed. This means that it evolves as one’s business evolves using a process of continual improvement. This means that an organization’s ISMS will adapt to changes – both internal and external by continually identifying and reducing risks.

Personal Data: GDPR and ISO 27001: As per GDPR, personal data is critical information that all organizations need to protect. The ISO 27001 ensures the protection of personal data and minimizing the risk of a leak, in addition to the adopted technical controls, structured documentation, monitoring, and continuous improvement. Importantly, some of the prominent GDPR guidelines on personal data are - supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. These are some EU GDPR requirements that are not directly covered in ISO 27001, but, if the implementation of ISO 27001 identifies personal data as an information security asset, most of the EU GDPR requirements will be covered and met.

The ISO 27001 is the international standard for an ISMS (information security management system), and it does provide an excellent starting point for achieving the technical and operational requirements necessary to reduce the risk of a breach and thus securing the personal data. To make GDPR compliance more stringent it is highly recommended to make one’s organization ISO 27701 compliant as well.

Testing the mapping of ISO 27001 with EU GDPR Compliance:

1. The GDPR requires to carry out Data Protection Impact Assessments. This is also required by ISO 27001 and thus, implementing ISO 27001, enables and satisfies the GDPR obligation of classifying personal data as highly critical.
2. Implementing ISO 27001 standards makes it mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. This is one of the vital requirements to be GDPR compliant.
3. Data authorities are required to be notified within 72 hours after discovering a breach of personal data. Implementing ISO 27001 ensures a consistent and effective approach to such incidents including communication on security events. Adopting incident management facilitates detection and reporting of data breach incidents and improves compliance with GDPR.
4. The ISO 27001 mandates the consideration of personal data as information security assets, and requires an organization to understand what personal data is collected, where it is stored, how long, its origin, and who has access, which are all requirements of the GDPR too.
5. The implementation of Privacy by Design, a GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 ensures that information security is an integral part of information systems across the entire lifecycle.

ISO/IEC 27701: ISO/IEC 27701 is a privacy extension to the international information security management standard, ISO 27001 (ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines). ISO 27701, specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving – a PIMS (privacy information management system) based on the requirements, control objectives and controls in ISO 27001, and extended by a set of privacy-specific requirements, control objectives and controls. ISO 27701 has thus been designed to be used by all data controllers and data processors. ISO 27701 advocates a risk-based approach so that each conforming organization addresses the specific risks it faces, as well as the risks to personal data and privacy.

Organizations that have implemented ISO 27001 will be able to use ISO 27701 to extend their ISMS to cover privacy management – including data processing. It is important to note that implementing both the ISO 27001 and the ISO 27701 standards will help organizations meet – and demonstrate compliance with – the privacy and information security requirements of the GDPR. Organizations that have implemented ISO 27001 will be able to use ISO 27701 to extend their security efforts to cover privacy management – including their processing of personal data/PII (personally identifiable information) – which can help them demonstrate that reasonable measures have been taken to comply with data protection laws as mentioned in the GDPR. Organizations without an ISMS can implement ISO 27001 and ISO 27701 together as a single implementation project.

ISO 27018 – the cloud security member of ISO: The ISO/IEC 27018 should also be consulted (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors) if the organization stores/processes personal data in the cloud. ISO/IEC 27018 requires a policy that allows for the return, transfer, and secure disposal of personal information within a reasonable period of time. For example, if Microsoft works with other companies that need access to a customer’s data, Microsoft proactively discloses the identities of those sub-processors. The ISO 27018 is increasingly becoming important as cloud-based services are being utilized by many organizations, thus cutting down on the hardware cost and minimizing local computer breach privacy risks.

Conclusion:

No organization currently operating within the EU and handling customer data in any format can do without the EU GDPR compliance and the first step in all likely probability is that the organization should conduct an EU GDPR GAP Analysis. The ISO standards are key to most possible solutions at largely showcasing the capability and respect of an organization to privacy as a key mandate. The ISO standards help in determining what is required to be done to meet the EU GDPR certification requirements and thus are a key representation to the European Data Protection Board (EDPB). These requirements can be easily added through the Information Security Management System (ISMS) that is already set by ISO 27001 and to make it full-proof the ISO 27701 becomes the essential convenient standard.

Organizations working in any capacity with any form of customer data must implement the ISO standards. The ISO 27001 would provide the means to ensure GDPR protection and the ISO 27701 standard shall enforce the mandate of personal data privacy. In addition, the ISO 27018 is the need of the hour with more and more employees undertaking remote working environment where cloud sharing of data is increasingly becoming a common day practice. Thus, implementation of ISO standards shall make an organization confident to apply for the EU GDPR certification.

ISO standards 27001 and 27701 are an objective way at demonstrating an organizations efforts and capability at meeting all regulatory privacy requirements. It is highly recommended that both ISO 27001 and 27701 are implemented as they are recognized global benchmark standards and demonstrates respect to privacy. All EU companies that are operating internationally will have to become GDPR compliant and those who do not will miss out on credibility. The simplest way to go about it is to showcase the implementation of ISO 27001 and 27701 standards. The ISO standards and EU GDPR certification are inter-twined and thus essential at establishing trust, credibility and reliance and showcase efforts at managing and handling of critical customer data in all confidentiality, with approval and have the ability of taking care of issues.