Site icon IT World Canada

Developing a plan for EU GDPR compliance using ISO/IEC 27001

The European General Data Protection Regulation (EU GDPR) is a new regulation around privacy of personal information that will be enforced in all EU member states as well as any organization operating within the EU market from May 25, 2018. It aims to harmonize data protection law across the Single European Market and put individuals back in control of their personal data. It will help improve international business and reassure individuals that their information is protected. This article examines the specifics of these new requirements and ways ISO/IEC 27001 lays a foundation for achieving them. A free implementation kit is available as well.

“At a high level, the new principles and rights mandated by the GDPR can in effect be summarized as three high level ‘underlying principles’: Transparency, Clarity, and Accountability.”

GDPR Requirements

At a high level, the new principles and rights mandated by the GDPR can in effect be summarized as three high level “underlying principles”: Transparency, Clarity, and
Accountability.


Reform of the data protection regulations has five fundamental aims: To reinforce individuals’ rights – privacy by design and by default; to strengthen the EU internal market through new, clear and robust rules for the free movement of data; to ensure consistent enforcement of the rules; to set global data protection standards; and to ensure a high level of data protection across all industries. BSI’s GDPR implementation Kit explains how to address each of these concerns through phases of Understanding, Implementation and Improvement.

EU GDPR and ISO/IEC 27001

Data classification
Personal data must be processed in a manner that ensures appropriate security. ISO/IEC 27001 control A.8.2 (Information classification) requires organizations to ensure that information receives an appropriate level of protection in accordance with its importance to the organization.

Reporting breach notification
Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. ISO/IEC 27001 control A.16 (Information security incident management) requires an incident management process to be put into place with information security events reported through appropriate management channels as quickly as possible.

Cooperation with authorities
Under EU GDPR, organizations must cooperate with the authorities (e.g. privacy or data protection regulators). ISO/IEC 27001 clause 6.1.3 requires that “Appropriate contacts with relevant authorities shall be maintained”.

“EU GDPR requires you to understand what personal data you collect, how it was obtained, where it’s stored, how long it’s kept for and who has access.”


Asset Management
EU GDPR requires you to understand what personal data you collect, how it was obtained, where it’s stored, how long it’s kept for and who has access. ISO/IEC 27001 control A.8 (Asset management) is about “information assets,” which includes personal data. The objective is to identify organizational assets and define appropriate protection responsibilities. You must complete an inventory of assets, understand who owns the assets, what is the acceptable use of those assets and how you are going to retire the assets.

Privacy by design
The adoption of privacy by design is another EU GDPR requirement. ISO/IEC 27001 control A.14 (System acquisitions, development and maintenance) ensures that information security is designed and implemented as an integral part of the entire development and lifecycle of information systems.

Supplier relationships
EU GDPR applies to suppliers who process personal data on behalf of others; it requires controls and restrictions to be included in formal agreements. This applies to ISPs, CSPs and outsourced data centers. ISO/IEC 27001 control A.15.1 (Information security in supplier relationships) requires the protection of the organization’s assets that are accessible by suppliers, and A.15.2 (Supplier service delivery management) states that organizations need to monitor the service delivery of suppliers against information security requirements.

Documentation
Under EU GDPR, controllers must maintain documentation concerning privacy e.g. the purposes for which personal information is gathered and processed, ‘categories’ of data subjects and personal data. ISO/IEC 27001 control 7.5 (Documented information) requires documentation to be kept based on the complexity of processes and their interactions.

While ISO/IEC 27001 supports you with many of the EU GDPR requirements, you should also consider:


GDPR compliance is relevant to all those involved in the processing, storage and management of personal information. This includes: Data Protection Officers; Human Resource Managers; Sales and Marketing Managers; Information Security Professionals; Compliance and Audit Managers; and Healthcare Professionals. It also requires appointment of a Data Protection Officer. See BSI’s GPDR Implementation Kit for details on who needs to be involved.

EU GDPR: A Challenge or an Opportunity?

Data protection reforms are not entirely bad news for organizations. The new compliance requirements may be a driver for business process re-engineering. An organization may take the opportunity to save money and reduce compliance cost by minimizing the amount of information being collected or used where this is possible.

If you want to be ready for the Data Protection Regulation reform, you should start developing and implementing a data protection program. ISO/IEC 27001 is a logical beginning step in this program that may simplify EU GDPR compliance.

Exit mobile version