ISO 27001 Offers Data Processors a Roadmap to GDPR ‘Sufficient Guarantees’
Reading Time: 2 minutes
If your company processes personal data of EU citizens, you are likely sweating the May 25 deadline for compliance with the General Data Protection Regulation (GDPR).
Will you be prepared to offer “sufficient guarantees” to your customers that collect that personal data? If not, you could face stiff penalties for noncompliance (up to 4 percent of annual global revenue or €20 million).
The true death blow, though, would be the loss of critical business relationships on which your business depends.
What will it take to provide the comfort your customers will soon be asking for? It may be more achievable than you thought. A roadmap already exists that can guide your organization in the development of an information security program to achieve the objectives of GDPR.
Look to ISO/IEC 27001 Certification to Facilitate GDPR Compliance
The internationally accepted standard for information security, ISO/IEC 27001, is a natural fit for meeting the technical and organizational requirements called for by GDPR. In addition, the requirements for the ISO 27001 Information Security Management certification align closely to the requirements for certification as put forward by GDPR.
Even though the Article 29 Working Party has yet to fully define the GDPR certification scheme, the characteristics of a risk management program that would provide sufficient guarantees of privacy and security of data are well-defined within GDPR.
Article 32 describes how a risk management program should be designed, referencing well-known and accepted information risk management principles:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk… the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…”
The article goes on to list some specific examples of measures that should be considered “as appropriate,” such as pseudonymisation and encryption of personal data. Note that the word “appropriate” appears three times in this single sentence about security of processing. How do you know what is appropriate?
ISO 27005—a subset of ISO 27001—answers this question by defining a formal process for assessing information security risk. Where appropriate, this risk assessment can be expanded to encompass a Data Protection Impact Assessment, as called for in GPDR Article 35.
Because the criteria defined by GDPR and ISO 27001 align so closely, any organization that achieves an ISO 27001 Information Security Management System certification will be in a strong position to easily achieve GDPR certification (when it is defined). Even more critical for data processers, the certification will position you to provide sufficient guarantees to the organizations for whom you process data.
You do not have the luxury of waiting for the dust to settle. If you have not already, get familiar with the requirements of GDPR and ISO 27001. Then assess your organization’s readiness to meet these criteria and provide those all-important “sufficient guarantees.” Contact Dan Schroeder for guidance in evaluating your readiness.