General Data Protection Regulation (GDPR) has been rolled out in Europe, starting on 25 May 2018. The enforcement of the regulation is aimed at ensuring that companies within 28 EU economies rigorously follow international best practices of data security management while handling personal data of EU citizens. Well, EU GDPR was imminent after it was approved in April 2016. The now enforceable regulation has made it intimidating for enterprises by stopping the free run since 1995, due to a lack of any substantial changes in consumer private data protection.
Business establishments will be fined up to €20 million, or four percent of its global turnover, whichever is higher, if found non-compliant. While the severity of actual regulation enforcement will start unfolding shortly, business enterprises need to use the regulation as a tool to gain competitive advantage of acquiring trust among customers by demonstrating compliance.
According to the GDPR, “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.” A “controller” denotes any business that decides the objectives and ways of dealing with personally identifiable information, while a “processor” deals with the information on behalf of the controller.
The GDPR also mentions some key aspects such as “data encryption… confidentiality, integrity, availability and resilience of processing systems and services… access to personal data… testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.”
ISO 27001 to the rescue
The GDPR makes multiple references to certification mechanisms, specifically in the Article 42 of the GDPR. ISO 27001 is gold-standard framework for information protection and helps companies achieve compliance with internationally accepted models. By putting the ISO 27001 standard, specifically the control sets known as Annex A (ISO/IEC 27002:2013), an organization activates an information security management system (ISMS) that works within the culture of the organization.
An ISMS, such as detailed in ISO/IEC 27001, is an integral part of business entity’s processes and entire management structure, with the primary goal to ensure the expected levels of confidentiality, integrity and availability of information. ISO/IEC 27002, provides elaborate guidance on the application of the controls including areas such as policies, processes, procedures, organizational structures and software and hardware functions. It should be used with other standards of the ISMS family of standards.
How does ISO 27001 matches GDPR mandates
As stated, the Article 42 of the GDPR emphasizes on data encryption, confidentiality and availability, and the testing of security. Let’s now see how does ISO 27001 helps in achieving these objectives:
Data encryption: ISO 27001 encourages encryption of data as the primary measure to reduce the possibility of identified risks. ISO 27001:2013 provides a set of 114 controls each of which can be implemented to reduce information security risks. Any organization that has the standard in place can identify the assets as risk and apply the necessary encryption.
Confidentiality, integrity and availability of data: As a fundamental principle of the standard, implementation of the same ensures the confidentiality of data, integrity and availability of private information, thereby earning the company customer trust.
Risk assessment: As per ISO 27001 norms, businesses must comprehensively evaluate all possible vulnerabilities that could impact the data. Businesses must also take adequate measures to safeguard the privacy, accessibility and integrity of data.
Business continuity: ISO 27001 clearly details the fundamentals of continuity in business management, making sure controls are implemented to help keep vital information readily available in the event of a system interruption.
Testing and assessments: Certification ensures that the company receives assessments and audits of its security systems by a third-party firm, thereby rendering the systems in place compliant with the standard.
There are some areas necessitated under the GDPR but are not controlled under the ISO 27001 framework. At the same time, it is obvious that the standard covers most of the requirements of the new regulation, taking companies halfway toward ensuring the protection of personal data and risk mitigation.
Also it must be realized that the GDPR is not an endpoint, organizations will need to keep constantly updating their systems to comply with the regulation. This further necessitates the ISO 27001 standard, as the framework is regularly enhanced to stay abreast of changes while continuously identifying and eliminating new threats.