Developing a plan for EU GDPR compliance using ISO/IEC 27001

Sponsored By: BSI Group Canada

The European General Data Protection Regulation (EU GDPR) is a new regulation around privacy of personal information that will be enforced in all EU member states as well as any organization operating within the EU market from May 25, 2018. It aims to harmonize data protection law across the Single European Market and put individuals back in control of their personal data. It will help improve international business and reassure individuals that their information is protected. This article examines the specifics of these new requirements and ways ISO/IEC 27001 lays a foundation for achieving them. A free implementation kit is available as well.

“At a high level, the new principles and rights mandated by the GDPR can in effect be summarized as three high level ‘underlying principles’: Transparency, Clarity, and Accountability.”

GDPR Requirements

At a high level, the new principles and rights mandated by the GDPR can in effect be summarized as three high level “underlying principles”: Transparency, Clarity, and

  • Transparency: Being fully transparent about the data processing activities undertaken. Nothing should happen to data that the data subjects are not fully aware of.
  • Clarity: Being clear about what those data processing activities are. It is no longer acceptable to obscure the details of your processing using “legalese” or complex terminology. Information on data processing must be presented in clearly written, understandable plain language.
  • Accountability: It should be clear both within the organizational structures and to the data subjects themselves who is responsible for oversight and management of their data and enforcement of data subject rights.

Reform of the data protection regulations has five fundamental aims: To reinforce individuals’ rights – privacy by design and by default; to strengthen the EU internal market through new, clear and robust rules for the free movement of data; to ensure consistent enforcement of the rules; to set global data protection standards; and to ensure a high level of data protection across all industries. BSI’s GDPR implementation Kit explains how to address each of these concerns through phases of Understanding, Implementation and Improvement.

EU GDPR and ISO/IEC 27001

Data classification
Personal data must be processed in a manner that ensures appropriate security. ISO/IEC 27001 control A.8.2 (Information classification) requires organizations to ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

Reporting breach notification
Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. ISO/IEC 27001 control A.16 (Information security incident management) requires an incident management process to be put into place with information security events reported through appropriate management channels as quickly as possible.

Cooperation with authorities
Under EU GDPR, organizations must cooperate with the authorities (e.g. privacy or data protection regulators). ISO/IEC 27001 clause 6.1.3 requires that “Appropriate contacts with relevant authorities shall be maintained”.

“EU GDPR requires you to understand what personal data you collect, how it was obtained, where it’s stored, how long it’s kept for and who has access.”

Asset Management
EU GDPR requires you to understand what personal data you collect, how it was obtained, where it’s stored, how long it’s kept for and who has access. ISO/IEC 27001 control A.8 (Asset management) is about “information assets,” which includes personal data. The objective is to identify organizational assets and define appropriate protection responsibilities. You must complete an inventory of assets, understand who owns the assets, what is the acceptable use of those assets and how you are going to retire the assets.

Privacy by design
The adoption of privacy by design is another EU GDPR requirement. ISO/IEC 27001 control A.14 (System acquisitions, development and maintenance) ensures that information security is designed and implemented as an integral part of the entire development and lifecycle of information systems.

Supplier relationships
EU GDPR applies to suppliers who process personal data on behalf of others; it requires controls and restrictions to be included in formal agreements. This applies to ISPs, CSPs and outsourced data centers. ISO/IEC 27001 control A.15.1 (Information security in supplier relationships) requires the protection of the organization’s assets that are accessible by suppliers, and A.15.2 (Supplier service delivery management) states that organizations need to monitor the service delivery of suppliers against information security requirements.

Under EU GDPR, controllers must maintain documentation concerning privacy e.g. the purposes for which personal information is gathered and processed, ‘categories’ of data subjects and personal data. ISO/IEC 27001 control 7.5 (Documented information) requires documentation to be kept based on the complexity of processes and their interactions.

While ISO/IEC 27001 supports you with many of the EU GDPR requirements, you should also consider:

  • Training and awareness – Make sure your business leaders and key stakeholders are aware of this change in law. You need to help them understand the potential impact and may be required to provide more in-depth training.
  • Designate a Data Protection Officer (DPO) – Certain activities, such as large scale monitoring of individuals or processing of special category data, require an organization to appoint a DPO. Even if you don’t need to, it’s good practice to appoint a DPO with knowledge of information security and an understanding of data protection law.
  • Internal audit – Use your internal audit to assess what personal data you hold, where it came from and with whom you share it.
  • Review procedures – Ensure your procedures cover all the rights individuals have. This includes how you ensure personal information is accurate, used for the purpose for which it was collected and not retained for longer than is necessary, as well as how you’d provide or delete personal data, if requested to do so.
  • Review your incident management process – Make sure that you can respond in the tight timescales required by the new regulation should a personal information incident occur.
  • Review your system – Depending on the scope of your ISMS and the controls you’ve implemented, there may be additional guidance that can help such as BS 10012 (which has been updated to align with the EU GDPR requirements) and ISO/IEC 27018.

GDPR compliance is relevant to all those involved in the processing, storage and management of personal information. This includes: Data Protection Officers; Human Resource Managers; Sales and Marketing Managers; Information Security Professionals; Compliance and Audit Managers; and Healthcare Professionals. It also requires appointment of a Data Protection Officer. See BSI’s GPDR Implementation Kit for details on who needs to be involved.

EU GDPR: A Challenge or an Opportunity?

Data protection reforms are not entirely bad news for organizations. The new compliance requirements may be a driver for business process re-engineering. An organization may take the opportunity to save money and reduce compliance cost by minimizing the amount of information being collected or used where this is possible.

If you want to be ready for the Data Protection Regulation reform, you should start developing and implementing a data protection program. ISO/IEC 27001 is a logical beginning step in this program that may simplify EU GDPR compliance.


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Sponsored By: BSI Group Canada