Are you GDPR ready? International certification can help
The European Union General Data Protection Regulation (GDPR) comes into force on 25 May 2018, superseding the Data Protection Directive 95/46/EC (1995). With less than two weeks to go, are you ready for it? Certification to ISO 27001 information security management systems can get you around 95% of the way there. The new law, comprising 99 articles, applies to all companies that collect the data of EU citizens, regardless of where the company is located in the world.
Complying to GDPR is not a opt-in opt-out decision, all organisations who collect and process EU citizen data must comply or risk huge fines. And we’re talking up to €20 million or 4 percent of global revenues, whichever is higher.
In the 23 years since the last directive was enforced, a lot has changed in the way businesses perform data capture. With a growing number of cyber-security attacks and major data breaches there is undeniably an unease among the general population with regard to their personal information; Who has it? How is it being used? and Is it protected?
GDPR has been created to govern the capture and processing of personal data to help build trust between company and client. So, GDPR is a huge leap forward to increase the rights of how an individual’s details is collected and processed and it also significantly streamlines the regulatory environment for businesses. A single set of rules makes it simpler and cheaper for companies to do business in the EU.
How can ISO 27001 can help achieve GDPR?
A common theme running throughout GDPR is reference to international certification. The new regulation encourages an organisation to be certified to ISO 27001 information security management systems to demonstrate that it is actively managing its data security in line with international best practice.
Common requirements between GDPR and ISO 27001 fall into three key components; people, processes and technology. Here are the main areas where achieving ISO 27001 can assist in GDPR compliance:
Risk assessments - Understanding the threats, vulnerabilities and risks to personal data
Compliance - Listing all relevant legislative, statutory, regulatory, and contractual requirements
Encryption of data - Enforcing appropriate controls to protect data that is at risk, including encryption as a measure that can be taken to increase security
Breach notification – When a breach of personal data occurs, notify the regulatory body within 72 hours
Asset management - Have the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
Access control - Protect data through access controls, such as end user access where some areas are restricted depending on relevancy, and administrator access to all areas
It is advisable to perform a GDPR GAP analysis which will highlight any requirements remaining.
Right to be Forgotten
In some industries, in particular the certification industry, the clause ‘Right to be forgotten’ can cause confusion.
The right to be forgotten entitles the data subject to have the data controller erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.
The conditions for erasure, as outlined in article 17 of GDPR, include the data no longer being relevant to original purposes for processing, or a data subjects withdrawing consent. It should also be noted that this right requires controllers to compare the subjects' rights to "the public interest in the availability of the data" when considering such requests.
In such case of a certification body (CB), the CB is required by law to hold names and information about the owner of an audited organisation as well as the particular auditor who conducted the audit.
This is a requirement from the regulatory authority and is classed as a higher level requirement therefore the CB cannot delete information. So there are areas that require specialist GDPR consultation.
Show commitment to data protection
As the deadline looms, organisations can show its commitment to data protection and willingness to comply to GDPR by implementing ISO 27001 and potentially avoid hefty fines.
Our aim is to help guide you through ISO 27001 certification, so you can be fully prepared to incorporate the remaining GDPR requirements.
By implementing ISO 27001 organisations may benefit from:
• Building trust with existing and potential customers, business partners and stakeholders
• Enhancing business reputation
• Winning new business
• Protecting the business from cyber-crime and hacking
• Improving management processes and integration with corporate risk strategies
• Complying with EU GDPR