Skip links

A connection between ISO / IEC 27001 and GDPR

Tânia Machado de Almeida, TMT Lawyer
Data Protection Officer (DPO), Strongstep

After the General Data Protection Regulation (EU) went live this past May 25th, many organizations have asked themselves how to implement the Regulation to avoid fines (up to 20 million euros or 4% of the global annual gross revenue) which could have a very significant financial impact on your business.

On the other side, in the year 2016 and according to the International Organization for Standardization, over 33,000 organizations worldwide reached the ISO/IEC 27001 certificate, related to information security. We ask what can the Regulation and a good practices reference have in common and how can the ISO/IEC 27001 certified enterprises have any advantages in the GDPR implementation.

Both documents have a set of common requirements, which makes the GDPR implementation easier and vice-versa. For such we identified five areas that share the same philosophy. To highlight the differences among these two documents, the ISO/IEC 27001 is a management system related norm, dedicated to information security. It is a norm recognized internationally that defines the best information security related risk management practices.

The GDPR changed the regulation paradigm in personal data protection establishing new rights for singular people and new obligations for enterprises, additionally it created the Data Protection Officer figure.

As said before we highlighted five common points:

  1. Data classification: It is a requirement of the ISO/IEC 27001 norm for the information to be classified according to its importance, giving an adequate security level accordingly. In this context, personal data must be treated ensuring the appropriate security measures, such as the Regulation demands, according to the 9th and 30th articles of the legal diploma.
  2. Notification and Cooperation with the control authorities: The ISO/IEC 27001 demands an incident management process, so that information security events can be documented and reported through the adequate management channels as quick as possible, and demands that “the adequate contact with the competent authorities is maintained”. Now the GDPR in its 33rd article contemplates the personal data violation notification to the control authorities (NDPC) within a 72 hour period after the violation detection, and requires that organizations to cooperate with authorities in a self-regulated system.
  3. Assets management: According to the norm, the organization’s assets and respective responsibilities – who holds assets and what’s the acceptable usage of the same – lifting and identification must done. According to the Regulation, it is required to identify the collected personal data, how they were obtained, where they are stored, for how long they are to be kept and who can access them.
  4. Data Protection since its conception: Information security, according to the ISO/IEC 27001 norm, must be conceived and implemented as an integrate part of the whole information systems development life cycle. The Regulation on the other hand requires that safekeepings are integrated from the development’s earliest stage (data protection from its conception and predefinition)
  5. Activities and treatment record: Both references demand that data treatment’s basic aspects to be recorded – according to the process complexity, in the case of the norm, for example, by identifying the gathered personal data, for what purpose they were collected and their process. – Not every common thing in the ISO/IEC 27001 norm and th Regulation have been stated above. For example, training and increasing awareness are fundamental in both cases. The norm by itself doesn’t consider every aspect of the regulation, for example, the explicit consent, the right to be forgotten or the naming of the DPO. Meanwhile, the norm is an excellent, internationally acknowledged reference that demonstrates the organization’s commitment with information security and privacy.

Summing it up, ISO/IEC 27001 certified organizations possess a competitive role on the current data protection paradigm. These organizations represent a security increase relating to the people responsible for personal data sharing, for example, during the execution of a supplying contract where personal data sharing is established. In addition to that, this organizations have professionals specialized in security that will be better prepared to work with privacy professionals, implementing GDPR internally, recurring to the Regulation, completing the norm controls. Information security is very adequate for privacy , but, that’s no enough for an organization to be ISO/IEC 27001 norm certified or to be GDPR compliant. Certify your organization and become competitive worldwide.

Return to top of page