What is GDPR?
GDPR, effective from May 2018, is the latest data protection regulation from the EU and has been designed to protect all EU citizens from privacy and data breaches in an increasingly data-driven world.
In the UK, GDPR replaces the Data Protection Act 1998. The GDPR introduces new obligations to data processors and data controllers, including those based outside the EU.
The regulation significantly extends the rights of ‘Data Subjects’ (people you hold data for or process data). For example, the right to know what data is stored about them, and to request correction and erasure.
Given that a breach can lead to fines of up to 4% of annual worldwide turnover or €20 million (whichever is greater), it is important for companies to assess how GDPR will affect them, and prioritise preparations to comply by May 2018.
How can ISO 27001 help your organisation achieve compliance with GDPR?
ISO 27001 Information Security Management is the broadest and most well-known business framework for managing information–related risk. The standard outlines specific requirements and controls to ensure that your business responds to regulatory requirements, such as EU GDPR, as well as ensuring that the appropriate controls are in place to manage risks to your business information, including personal records.
If the scope of your ISO 27001 certification identifies personal data as an information security asset, much of the EU GDPR requirements will be covered.
Many of the GDPR requirements, are also requirements of ISO 27001, so the two are well aligned. Examples of these requirements include:
- Responsibility and accountability
- Gaining consent for holding and using data
- Appointing a Data Protection Officer
- Recording and investigating data breaches.