The General Data Protection Regulations, and related UK Legislation, places responsibility on organisations to be ‘accountable’. Although many of the requirements were already in place under previous legislation, organisations need to evidence their compliance and could face higher fines for failure.
There are several ways to approach GDPR compliance including Data Flow Mapping, Data Protection Audits and Workshops. However, if your organisation handles a lot of data, both personal and otherwise, you might find ISO 27001, the standard for Information Security, provides a valuable tool to help and if you already have ISO 27001, integrating GDPR could be more efficient.
ISO 27001 is not automatically GDPR compliance, but it can help.
What is ISO 27001?
ISO 27001 is the international standard for a Information Security Management System. It provides a risk based approach to ensuring the Confidentiality, Integrity and Availability of information assets in an organisation.
‘Information assets’ can include a wide range of physical equipment, software, people, processing facilities and data, of course including Personal Identifiable Information (PII).
However, often systems are focused on information that has commercial value, rather than personal information and the compliance around it.
5 Areas you can use ISO 27001 for GDPR
ISO Standards can be used as the basis to manage governance, risk and compliance across many disciplines, and in this case, if structured correctly, ISO 27001 can be used for GDPR.
Here are just 5 areas to consider:
Documented Operating Procedures and Lawful Processing
Organisations must have a lawful purpose for processing personal information. This can mean with the consent of the data subject or under a valid contract.
ISO 27001 has a control requirement – documented operating procedures for information processing facilities, which can be used to define your processing activities and ensure GDPR compliance.
Risk Assessment and Data Protection Impact Assessments.
A core principle of ISO 27001 is risk management, identifying risks then applying controls to reduce the risks to an acceptable level.
In a similar way, GDPR requires organisations to conduct a Data Protection Impact Assessment (DPIA) where processing (particularly using new technologies) is likely to result in high risk to the rights and freedoms of natural persons. This can be integrated as part of your risk management programme.
Asset Management & Traceability
Annex A has an entire section of controls focused on [information] asset management including classification and handling, which of course should include the Personal Information you are controlling and/or processing.
Protection of Records and Retention Policies.
‘Storage Limitation’ is a Data Protection principle of GDPR which requires personal information be stored no longer than it is needed.
Deciding on a retention policy can be difficult and protecting personal information while it is stored by the organisation also needs to be considered.
While there are many ISO 27001 controls which contribute to protecting personal information, the protections of records control, which is often focused around financial and HR records, can be expanded to account for PII.
Compliance With Legal & Other Requirements
The standard also requires organisations to identify applicable legislation and document their approach to compliance.
Incorporating GDPR and other data protection legislation to your legal compliance process is an obvious link, but the control also references contractual requirements which should be present when a data controller transfers information to another party for processing.
Using ISO 27001 for GDPR
ISO 27001 is a well recognised standard that if implemented and adapted correctly can make GDPR compliance much easier.
Our Consultants have knowledge and experience of both ISO 27001 and Data Protection Legislation including GDPR.
We can help you adapt an existing ISO 27001 Management System or implement from scratch, leading to UKAS Accredited ISO 27001 Certification.