With the entry into force of the General Data Protection Regulation (GDPR) — the EU regulation strengthening individual’s rights in regard to their personal data and regulating how companies process and transfer such data — enterprises have initiated compliance projects in order to demonstrate their alignment with the new data protection regulatory requirements.
The EU regulation, and more precisely its article 24, specifies that adherence to codes of conduct and approved certifications can be used as an element demonstrating compliance. As the leading international standard and certification for information security, ISO 27001 would thus be an ideal choice providing a concrete framework to support GDPR compliance. ISO 27001 provides requirements for effectively implementing and maintaining an information security management system (ISMS) by establishing a framework of policies and procedures that includes all legal, physical and technical controls involved in risk management process.
Both the GDPR and ISO 27001 aim not only to strengthen data security and minimize the risk of data breaches but also require companies to ensure confidentiality, integrity and availability of personal data. ISO 270001 which provides a proven framework for managing information security can help companies meet many of the GDPR requirements (risk assessments, data breach notification, data protection by design by default, record keeping, third party risk management).
Among these regulatory requirements, article 32 of the GDPR provides that the concerned companies “shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. Nevertheless, the regulation does not explicitly state which would be the appropriate technical measures and how they could be implemented on an IT level. Additionally, since most DPO’s have a legal background choosing the appropriate technical measures can prove to be problematic and many internal discussions or compromises with technical teams would be needed. Consequently, ISO 27001 can be used to facilitate not only the realization of the GDPR project (since it offers a predefined and detailed framework) but also ease the DPO’s pathway to consistent compliance.
Therefore, ISO 27001 framework can serve as a roadmap for companies with high quantity of data and sensitive treatments that have to comply with the GDPR.
Finally, the companies that will demonstrate compliance with the GDPR through ISO 27001 will undeniably achieve a stellar reputation concerning data protection and information security.
About OpenField S.A.
Open Field is an independent management consulting company specialized in the information system strategy, security, project management, outsourcing, innovation and training. Open Field assist and facilitate organisations in their strategic and technologic thinking by proposing innovative and performing solution, adapted to their needs. Based in Leudelange, OpenField established in 2005.