For many months now, countdown clocks across the market research and analytics space, as well as in much of the business world at large, have been set to May 25, the date the EU’s General Data Protection Regulation (GDPR) comes into effect. It’s a significant deadline. As a replacement of the aging Data Protection Directive 95/46/EC, the GDPR represents a new paradigm that requires organizations to uphold defined principles of data protection and protect a set of rights for data subjects. The GDPR also brings with it strikingly “effective, proportionate and dissuasive” fines for businesses that fail to comply.
Businesses throughout Europe and around the world are deeply interested in protecting themselves and the data they hold, if not to avoid the fines then to ensure continued access to one of the world’s largest markets. Industry groups, such as the Insights Association, have provided educational resources to aid in this effort. They match the extensive breadth and complexity of the regulation. The Insights Association webinar series on the topic, for example, includes eight sessions.
Here, we will consider one facet of the regulation and how the development of an information security system will satisfy certain requirements.
What does the GDPR require of businesses?
The Regulation sets forth parameters within which organizations must operate to uphold its stated principles and protect numerous rights. Understanding these parameters and ensuring your organization observes them is just the start. Companies also must guarantee that compliance is not a one-off instance, but a continuous state, proving accountability via documentation and ongoing monitoring of compliance.
There are repeated references in the Regulation to the requirement for “technical and organizational measures” to ensure compliance with stipulations relevant to the context of the business. That is, the EU knows that it cannot define a set of specific measures that will apply to all businesses, and so it relies upon the organization to identify them for itself. To demonstrate compliance, businesses need to prove not only that these technical and organizational measures are in place, but that they are suitable to the organization, the personal data it holds or processes, the technologies it uses, and the risks it faces. Furthermore, they need to be able to do so on an enduring basis.
How does ISO 27001 certification help with GDPR compliance?
ISO 27001 is considered by some to be a model of best practice that will provide solid evidence of an intent and effort to comply. This means that an organization with a certified ISO 27001 Information Security Management System (ISMS) is viewed as taking an appropriate approach to protecting personal data in line with the GDPR, and therefore likely to be treated with greater mercy in the event of a data breach.
ISO 27001 is widely considered as an excellent approach to compliance with data protection and privacy legislation generally, as it requires the business to recognize the “needs and expectations of interested parties”, which include customers, the public, partners and regulatory agencies, and “may include legal and regulatory requirements and contractual obligations”. A business with an effective, ISO 27001-aligned ISMS must, by definition, meet the requirements of the GDPR.
Furthermore, a business with an ISMS that has been certified by an accredited certification body has evidence that it complies with the GDPR (and any other relevant laws and regulations). This is the purpose of external validation and a benefit not offered under self-certification scenarios.
ISO 27001 not only addresses the need to comply with legislation through a systematic set of policies and processes, it also offers a reference set of controls. These controls, while they may not be exhaustive, can be readily leveraged to provide appropriate “technical and organizational measures”, as required by the GDPR.
ISO 27001 uses risk assessments to identify the necessary controls, which ties nicely with the GDPR’s stipulations regarding risk management and data protection impact assessments. The Regulation’s requirement to mitigate the risks to rights and freedoms of data subjects, for example, can be managed within an ISO 27001 risk assessment, with controls potentially drawn from the Standard’s reference controls (or from any other source).
Why implement an Information Security Management System?
A management system operates on the principle that a set of defined practices can be followed, repeatedly, to ensure consistent behavior in line with the organization’s requirements. In the case of an ISMS, these practices relate to the protection of information, and are developed in accordance with the organization’s position, which is normally stated in a policy.
As the organization develops all necessary practices, it becomes apparent that the whole system is heavily interlinked and that there needs to be an awareness of the management system’s needs at both the macro and micro scale. That is, the organization needs to understand how all policies, procedures and records interact on a grand scale just as much as it needs the detail to be precise, effective and replicable. For many organizations, developing this framework, filling in the details, and documenting the string of processes is daunting. But it is necessary. The GDPR has sounded the alarm that organizations can no longer put off data protection and privacy.
In fact, with the May 25 compliance deadline fast approaching, market research and analytics businesses would do well to acquire resources that can streamline how they approach compliance. No, ISO 27001 certification alone does not address all GDPR requirements, but it does fulfill many and at the same time provides an Information Security Management platform which single-handedly satisfies the demands of some of the most demanding clients you’re likely to encounter.