GDPR Compliance through ISO Standards

Author: Dantis Mihai

GDPR: The EU GDPR (General Data Protection Regulation) regulation (EU GDPR) approved on April 14,
2016, by the European Parliament and the Council of Europe is applied directly in each of the EU
countries. The GDPR is an important regulation as it allows for a consistency of rules between nations
on the rights of citizens’ privacy. The salient features of the of GDPR are:

 Based on the nature and purpose of data usage, both those who determine the purpose
and means of the processing of personal data (Data Controllers), and those who in turn
can manage it (Data Processors) to be compliant with the EU GDPR, will have to
implement organizational measures and techniques to achieve an appropriate level of
data security in terms of confidentiality, integrity, availability, and resilience of the
systems that support them, as well as the regular validation of the effectiveness of these
measures.
 Beyond the EU companies, the EU GDPR covers companies outside of the EU that offer
goods or services to EU Data Subjects (“an identified or identifiable person to whom the
‘personal data’ relates”), even if for free, or that monitor the Data Subjects’ behavior
within the EU.
 By the new regulation, organizations have to minimize data collection and retention and
gain consent from consumers when processing data – in other words, minimize
collection of consumer data, minimize with whom data is shared, and minimize how
long it is kept. The goal is that organizations only collect or store information they need
for the intended purpose, particularly with regard to personal data.
 The EU GDPR has strengthened the previous directive, allowing the right to be forgotten
by the personal data owners and requesting the deletion of their data by organizations,
including published data on the web. The EU GDPR states that “the (…) controller shall
have the obligation to erase personal data without undue delay, especially in relation to
personal data which are collected when the data subject was a child, and the data
subject shall have the right to obtain from the controller the erasure of personal data
concerning him or her without undue delay.”
 In case of a personal data breach, the company will have to notify the organization
responsible for this purpose, the Data Protection Authority (DPA) (“National supervisory
authority, acting with complete independence, responsible for monitoring the
application of data protection rules at the national level“), within 72 hours after having
detected the violation. Mandatory notification of affected individuals depends on the
possibility of unauthorized access to information. Notification does not need to be made
to the DPA if the breach is unlikely to result in a risk to the rights and freedoms of
individuals.
 If the organization is dealing with special categories of personal data on a large scale, it
needs to appoint a Data Protection Officer (DPO) as part of its board.
 If these measures are not met, the penalties are high: up to € 20 million or, in case of
companies, up to 4% of annual turnover, whichever is higher.
The EU GDPR require organizations to take measures to ensure the privacy of any personal data that
they process. However, none of these laws provide much guidance on what those measures should
look like. The ISO (the International Organization for Standardization) and the IEC (International
Electrotechnical Commission) developed the standard – the ISO 27001 and ISO 27701 to provide that
guidance.

Explicit
Consent
(Art. 7)
Territorial Right to
Scope Access
(Art. 3) (Art. 15)

Right to
Sanctions Rectificati
(Art. 83) on (Art.
16)
GDPR

Data
Right to
Protect
erasure
Officers
(Art. 17)
(Art. 37)

Notificati
on Design
Requirem Privacy
ents (Art. (Art. 25)
33)

Figure 1: GDPR Deep Dive on major articles

ISO 27001: ISO 27001 is an information security management standard that provides detailed
guidance for taking the appropriate security measures, in the form of an information security
management system (ISMS), to protect an organizations business from a data breach. An ISMS is a
system of processes, documents, technology and people that helps to manage, monitor, audit and
improve one’s organization’s information security practices. ISO 27001 sets out the requirements for
an ISMS (information security management system), a risk-based approach that encompasses people,
processes and technology. Independently accredited certification to ISO 27001 provides stakeholders
with assurance that data is being appropriately secured. It helps an organization manage all security
processes in one place, consistently and cost-effectively. An organization will be able to implement
adequate and effective security measures, based on the outcomes of a formal risk assessment, to
comply with the GDPR requirements, rather than implementing controls indiscriminately to reduce
data breach risks.

As ISO 27001 is a framework for information protection, the implementation of ISO 27001 promotes
a culture and awareness of security incidents within an organization. The adoption of ISO standard
27001 Information Security is the basis to move towards achieving compliance with the GDPR. The
employees of ISO 27001 compliant organizations are more aware and have more knowledge to be
able to detect and report security incidents. Information security is not only about technology; it’s also
about people and processes. The ISO 27001 standard is an excellent framework for compliance with
the EU GDPR. If the organization has already implemented the ISO 27001 standard, it can be assured
that the organization has undertaken fifty percent of the compliance requirements of the GDPR
guidelines.

Data Breach
Protection

Meeting
Ensuring
Customer
Compliance
Expectations

ISO
27001
Raising Security Risk
Awareness Management

Secure Data
Access

Figure 2: ISO 27001 (Main facets Information Security Management System)

GDPR Compliance and the ISO 27001 Guarantee:

1. Assurance: The GDPR recommends the use of certification schemes such as ISO 27001 as a
way of providing the necessary assurance that the organization is effectively managing its
information security risks.
2. Controls and Security Framework: The GDPR stipulates that organizations should select
appropriate technical and organizational controls to mitigate the identified risks. The majority
of the GDPR’s data protection arrangements and controls are also recommended by ISO
27001.
3. People, processes and technology: ISO 27001 encompasses the three essential aspects of
information security: people, processes and technology, which implies protecting ones
business not only from technology-based risks but also other, more common threats, such as
poorly informed staff or ineffective procedures.
4. Certification: The GDPR requires organizations to take the necessary steps to ensure the
security controls work as designed. Achieving accredited certification to ISO 27001 delivers an
independent, expert assessment of whether an organization has implemented adequate
measures to protect the personal data.
5. Risk Assessment: ISO 27001 compliance means conducting regular risk assessments to identify
threats and vulnerabilities that can affect information assets, and to take steps to protect that
data. The GDPR specifically requires a risk assessment to ensure an organization has identified
risks that can impact personal data.
6. Testing and Audits: Being GDPR-compliant means an organization needs to carry out regular
testing and audits to prove that its security regime is working effectively. An ISO 27001-
 compliant ISMS needs to be regularly assessed according to the internal audit guidelines
provided by the Standard.
7. Continuous Improvement: ISO 27001 requires that an organizations ISMS is constantly
monitored, updated and reviewed. This means that it evolves as one’s business evolves using
a process of continual improvement. This means that an organization’s ISMS will adapt to
changes – both internal and external by continually identifying and reducing risks.

Personal Data: GDPR and ISO 27001: As per GDPR, personal data is critical information that all
organizations need to protect. The ISO 27001 ensures the protection of personal data and minimizing
the risk of a leak, in addition to the adopted technical controls, structured documentation, monitoring,
and continuous improvement. Importantly, some of the prominent GDPR guidelines on personal data
are - supporting the rights of personal data subjects: the right to be informed, the right to have their
data deleted, and data portability. These are some EU GDPR requirements that are not directly
covered in ISO 27001, but, if the implementation of ISO 27001 identifies personal data as an
information security asset, most of the EU GDPR requirements will be covered and met.

The ISO 27001 is the international standard for an ISMS (information security management system),
and it does provide an excellent starting point for achieving the technical and operational
requirements necessary to reduce the risk of a breach and thus securing the personal data. To make
GDPR compliance more stringent it is highly recommended to make one’s organization ISO 27701
compliant as well.

Testing the mapping of ISO 27001 with EU GDPR Compliance:

1. The GDPR requires to carry out Data Protection Impact Assessments. This is also required by
ISO 27001 and thus, implementing ISO 27001, enables and satisfies the GDPR obligation of
classifying personal data as highly critical.
2. Implementing ISO 27001 standards makes it mandatory to have a list of relevant legislative,
statutory, regulatory, and contractual requirements. This is one of the vital requirements to
be GDPR compliant.
3. Data authorities are required to be notified within 72 hours after discovering a breach of
personal data. Implementing ISO 27001 ensures a consistent and effective approach to such
incidents including communication on security events. Adopting incident management
facilitates detection and reporting of data breach incidents and improves compliance with
GDPR.
4. The ISO 27001 mandates the consideration of personal data as information security assets,
and requires an organization to understand what personal data is collected, where it is stored,
how long, its origin, and who has access, which are all requirements of the GDPR too.
5. The implementation of Privacy by Design, a GDPR requirement, becomes mandatory in the
development of products and systems. ISO 27001 ensures that information security is an
integral part of information systems across the entire lifecycle.

ISO/IEC 27701: ISO/IEC 27701 is a privacy extension to the international information security
management standard, ISO 27001 (ISO/IEC 27701 Security techniques – Extension to ISO/IEC 27001
and ISO/IEC 27002 for privacy information management – Requirements and guidelines). ISO 27701,
specifies the requirements for – and provides guidance for establishing, implementing, maintaining
and continually improving – a PIMS (privacy information management system) based on the
requirements, control objectives and controls in ISO 27001, and extended by a set of privacy-specific
requirements, control objectives and controls. ISO 27701 has thus been designed to be used by all
data controllers and data processors. ISO 27701 advocates a risk-based approach so that each
conforming organization addresses the specific risks it faces, as well as the risks to personal data and
privacy.

Organizations that have implemented ISO 27001 will be able to use ISO 27701 to extend their ISMS to
cover privacy management – including data processing. It is important to note that implementing both
the ISO 27001 and the ISO 27701 standards will help organizations meet – and demonstrate
compliance with – the privacy and information security requirements of the GDPR. Organizations that
have implemented ISO 27001 will be able to use ISO 27701 to extend their security efforts to cover
privacy management – including their processing of personal data/PII (personally identifiable
information) – which can help them demonstrate that reasonable measures have been taken to
comply with data protection laws as mentioned in the GDPR. Organizations without an ISMS can
implement ISO 27001 and ISO 27701 together as a single implementation project.

ISO 27018 – the cloud security member of ISO: The ISO/IEC 27018 should also be consulted (Code of
practice for protection of personally identifiable information (PII) in public clouds acting as PII
processors) if the organization stores/processes personal data in the cloud. ISO/IEC 27018 requires a
policy that allows for the return, transfer, and secure disposal of personal information within a
reasonable period of time. For example, if Microsoft works with other companies that need access to
a customer’s data, Microsoft proactively discloses the identities of those sub-processors. The ISO
27018 is increasingly becoming important as cloud-based services are being utilized by many
organizations, thus cutting down on the hardware cost and minimizing local computer breach privacy
risks.

Conclusion: No organization currently operating within the EU and handling customer data in any
format can do without the EU GDPR compliance and the first step in all likely probability is that the
organization should conduct an EU GDPR GAP Analysis. The ISO standards are key to most possible
solutions at largely showcasing the capability and respect of an organization to privacy as a key
mandate. The ISO standards help in determining what is required to be done to meet the EU GDPR
certification requirements and thus are a key representation to the European Data Protection Board
(EDPB). These requirements can be easily added through the Information Security Management
System (ISMS) that is already set by ISO 27001 and to make it full-proof the ISO 27701 becomes the
essential convenient standard.

Organizations working in any capacity with any form of customer data must implement the ISO
standards. The ISO 27001 would provide the means to ensure GDPR protection and the ISO 27701
standard shall enforce the mandate of personal data privacy. In addition, the ISO 27018 is the need of
the hour with more and more employees undertaking remote working environment where cloud
sharing of data is increasingly becoming a common day practice. Thus, implementation of ISO
standards shall make an organization confident to apply for the EU GDPR certification.

ISO standards 27001 and 27701 are an objective way at demonstrating an organizations efforts and
capability at meeting all regulatory privacy requirements. It is highly recommended that both ISO
27001 and 27701 are implemented as they are recognized global benchmark standards and
demonstrates respect to privacy. All EU companies that are operating internationally will have to
become GDPR compliant and those who do not will miss out on credibility. The simplest way to go
about it is to showcase the implementation of ISO 27001 and 27701 standards. The ISO standards and
EU GDPR certification are inter-twined and thus essential at establishing trust, credibility and reliance
and showcase efforts at managing and handling of critical customer data in all confidentiality, with
approval and have the ability of taking care of issues.