A short step to GDPR compliance

It is the month when all the waiting ends and organisations across the world that collect data relating to EU citizens must comply with the new General Data Protection Regulation (GDPR).

Like most businesses in the UK, DictateNow has been working hard in recent months to ensure we comply, but of course we had a head start on most as we have been ISO 27001:2013 certified for almost four years.

Which is good news for all our clients and demonstrates the importance we placed on managing data security, long before GDPR was finalised.

As the leading international standard for information security, achieving and maintaining ISO 27001:2013 certification is only a short step away from GDPR compliance.

Whilst there is significant common ground between the two, GDPR is more concerned with reducing risks for individuals, through new rights that make organisations processing personal data accountable if that data is lost, stolen or misused.

ISO 27001 requires organisations to create, maintain and continually improve information security management systems, with regular audits undertaken by independent certificating bodies to ensure compliance. Certification includes guidance on how organisations should handle and protect personal data in a secure, transparent and trustworthy manner.

There is currently no such independent audit procedure for GDPR compliance, which begs the question, how do you know if an organisation is compliant with the new regulations? None are going to admit they are not and non-compliance may only come to light when something goes wrong.

The overlap in data security requirements between GDPR and ISO 27001:2013 has made our journey from ISO certification to GDPR compliance a relatively easy one.

And we believe having a certificate to demonstrate we maintain ISO 27001, offers confidence to data controllers who need to share personal data with us. Which can be quite often, given the nature of our transcription service for law firms in particular.

Privacy by Design

The GDPR requires organisations to adopt a ‘Privacy by Design’ approach to projects, which promotes privacy and data protection compliance from the start, rather than as a bolt-on or after thought much later in the piece.

This approach is very similar to the requirement of ISO 27001 which ensures that the security of data, personal or otherwise, is an integral part of information systems across the entire data lifecycle throughout the business.

Supply chain risks

GDPR requires businesses that delegate the processing or storage of personal data to sign a contractual agreement with those supply chain partners to ensure that they too are GDPR compliant.

Again of course, how they prove it, will be tricky, but ISO 27001 certification is a great starting point. It mandates protection for an organisation’s data assets that are accessible to its suppliers. It easy to see how the overlap of data security management works to our benefit.

The intention of this blog is to highlight the common ground that exists between ISO 27001 and the new GDPR regulations. Our work towards compliance focussed on the privacy rights not directly addressed by ISO 27001, like an individual’s right to be forgotten and have their data deleted.

Thanks to how closely aligned the two are, our ISO 27001 certificate should not only demonstrate how seriously we take data security, but offer peace of mind that DictateNow is not only GDPR compliant on May 25, but will remain so until any new regulations come into force.

Here are eight specific areas where ISO 27001 directly supports GDPR compliance:

• Management of personal data. In terms of requirements, this is the GDPR’s core focus. ISO 27001 supports this by providing guidance on controls to identify personal data and manage how, where and for how long it is stored, who can access it, etc.
• Availability, integrity and confidentiality of data processing systems. This is a major focus of both ISO 27001 and GDPR.
• A documented process for regularly evaluating the effectiveness of security controls. This is also a key ISO 27001 focus. Any company seeking ISO 27001 certification will have its controls, as well as its process documentation, assessed by an independent third-party. Internal review of controls is also part of maintaining ISO 27001 certification.
• Risk assessment. GDPR mandates that businesses conduct risk assessments to ensure they’ve identified major risks to EU citizens’ personal data. Similarly, ISO 27001 requires initial and ongoing risk assessment.
• Data encryption. Identifying what data should be encrypted based on risk exposure is inherently part of risk assessment.
• The ability to restore access to personal data in a timely manner in the event of a “physical or technical incident.” ISO 27001 includes a set of controls to ensure the availability of critical data and associated business processes in the event of an incident.
• Breach Notification. GDPR mandates that firms must notify authorities within 72 hours of when a breach involving personal data is discovered. This includes notification of impacted “data subjects” if the risk to them is sufficient. ISO 27001 likewise mandates “a consistent and effective approach” to handling information security incidents.

With so much alignment between them, ISO 27001 might well be the best on-ramp and roadmap for organizations that need to comply with GDPR. If you already have an ISO 27001 compliant ISMS, adding and addressing any remaining GDPR requirements would be comparatively easy.

Like any regulation, GDPR presents both challenges and opportunities for organizations to improve their effectiveness and agility around protecting and processing critical data. The first thing most businesses should do to prepare for GDPR is conduct a gap analysis to identify what needs to be done to comply, and then prioritize those requirements.

And more…

ISO 27001 provides the means to ensure this protection. There are many points where the ISO 27001 standard can help companies achieve compliance with this regulation. Here are just a few of the most relevant ones:

Risk Assessment – Because of the high fines defined in EU GDPR and the major financial impact on organizations, it is only natural that the risk found during risk assessment regarding personal data is too high not to be dealt with. On the other side, one of the new requirements of the EU GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. Of course, while implementing ISO 27001, personal data must be classified as high criticality, but according to the control A.8.2.1 (Classification of information): “Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification.”

(Read the article ISO 27001 risk assessment & treatment – 6 basic steps to learn more.)

Compliance – By implementing ISO 27001, because of control A.18.1.1 (Identification of applicable legislation and contractual requirements), it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with EU GDPR (see section above), this regulation will have to be part of this list. In any case, even if the organization is not covered by the EU GDPR, control A.18.1.4 (Privacy and protection of personally identifiable information) of ISO 27001 guides organizations through the implementation of a data policy and protection of personally identifiable Information.

Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 control A.16.1 (Management of information security incidents and improvements) will ensure “a consistent and effective approach to the management of information security incidents, including communication on security events.” According to EU GDPR, data subjects (“The Data Subject is a living individual to whom personal data relates.”) will also have to be notified, but only if the data poses a “high risk to data subject’s rights and freedom.” The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.

Asset Management – ISO 27001 control A.8 (Asset Management) leads to inclusion of personal data as information security assets and allows organizations to understand what personal data is involved and where to store it, how long, what is its origin, and who has access, which are all requirements of EU GDPR.

Privacy by Design – The adoption of Privacy by Design, another EU GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 control A.14 (System acquisitions, development and maintenance) ensures that “information security is an integral part of information systems across the entire lifecycle.”

Supplier Relationships – ISO 27001 control A.15.1 (Information security in supplier relationships) requires the “protection of the organization’s assets that are accessible by suppliers.” According to GDPR, the organization delegates suppliers’ processing and storage of personal data; it shall require compliance with the requirements of the regulation through formal agreements.

Is ISO 27001 enough?

In addition to the adopted technical controls, structured documentation, monitoring, and continuous improvement, the implementation of ISO 27001 promotes a culture and awareness of security incidents in organizations. The employees of these organizations are more aware and have more knowledge to be able to detect and report security incidents. Information security is not only about technology; it’s also about people and processes.

The ISO 27001 standard is an excellent framework for compliance with the EU GDPR. If the organization has already implemented the standard, it is at least halfway toward ensuring the protection of personal data and minimizing the risk of a leak, from which the financial impact and visibility could be catastrophic for the organization. The first thing an organization should do is conduct an EU GDPR GAP Analysis to determine what remains to be done to meet the EU GDPR requirements, and then these requirements can be easily added through the Information Security Management System that is already set by ISO 27001.