Home Resources Blog November 2018

ISO 27001 v GDPR - Mapping

23 November 2018
What are the similarities between GDPR and the International Standard ISO 27001? Six months on since the implementation of the GDPR and what have we learned? 

This blog further explains the similarities between the GDPR and the International Standard – ISO 27001:2013 and includes a mapping guide to explain how adoption of the standard can assist you in reaching compliance with the new regulations.

What is the GDPR?

In today's ever–evolving digital environment, the protection of personal data has become more critical than ever. As data breaches occur with greater frequency, the cyber–security standards that were put into law 20 years ago are no longer enough to protect the information of businesses and customers that interact online. The larger the database, the graver the consequences of a breach for parties at both ends.

The GDPR is intended to solve security issues that have emerged over the past two decades since the development of cloud technology and its impact on data security.
The General Data Protection Regulation (GDPR) was developed by the European Union over a four–year period to serve as a legislative solution to issues regarding data protection in the present day. Previously, laws regarding data protection in the United Kingdom are based on the Data Protection Act of 1998 — an update of the 1995 EU Data Protection Directive — which itself was designed to handle security issues as understood by lawmakers and programming experts in the years leading up to the millennium.
The regulations are designed to protect customer data in the new digital environment. In an age where companies like Facebook and Google share the personal data of account holders in exchange for site access and features, the GDPR seeks to return more control of the situation back to the user.
The other reason for the GDPR is to establish a clear–cut set of regulations under which businesses can operate in regards to the handling of customer data. With these new rules, the boundaries would be easier to understand on both the corporate and consumer end, which would make it easier for businesses to earn and hold the trust of customers.
The law will also offer more power to citizens in regards to what companies can do with private data. While the new law will be beneficial on all sides, the GDPR has been designed to protect consumers.
Fears of advanced online hackers could be reduced, if not eliminated, by the new regulations.
With the laws on data protection more clearly defined throughout the EU, the GDPR could save the European business economy roughly £2.3 Billion a year. That saving, in turn, could be passed onto consumers.

Controllers & Processors

The two parties in the realm of data security that are directly impacted by the implementation of the GDPR are the controllers and processors of digital information.

According to article 4 of the EU GDPR, different roles are identified as indicated below:

So, the organizations that determine the means of processing personal data are controllers, regardless of whether they directly collect the data from data subjects. For example, a bank (controller) collects the data of its clients when they open an account, but it is another organization (processor) that stores, digitizes, and catalogues all the information produced on paper by the bank. These companies can be datacentre’s or document management companies. Both organizations (controller and processor) are responsible for handling the personal data of these customers.
The data controller remains responsible for ensuring its processing complies with the GDPR, whether it processes in-house or engages a data processor. It is the Controllers responsibility to determine how it monitors and evaluates the processors.
Data processors face direct legal obligations under the GDPR in such areas as security and record keeping. Under the GDPR controllers can only use processors providing - sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and protection of the rights of the data subject. If processors breach their direct obligations they can be fined by the Supervisory Authorities and held jointly liable with the controller for the entirety of any damage to a data subject, unless they can prove they were not in any way responsible for the event.

Processing of Information

According to Article 5 from the EU GDPR, the controller shall be responsible for, and be able to demonstrate compliance with, the principles relating to processing of personal data. These are:

According to Article 28 from the EU GDPR, “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”
When the GDPR was implemented on May 25th, 2018, controllers were required under law to process EU user data for specific purposes with complete transparency. Once the purpose is completed, and the controlling/processing entities have no lawful need for the data of a given user, the data must be deleted. Therefore, personal data will no longer be stored idly and indefinitely on servers that could be hacked at any time.
For the personal data of EU residents to be processed lawfully under the GDPR, at least one of the justifications mentioned below will have to apply. The law is designed to put the interests of online users above the entities that could be intent on exploiting or sharing personal data.


For controllers to get the agreement of an individual, the person must give consent through a direct, confirmed action. The pre–existing standard of justification, which allows controllers to use data with only passive acceptance on the part of the person, will not suffice under the GDPR. Therefore, consent cannot be gained through means that would only be understood by users who pass over the fine print of a given set of terms.
It's the controller's obligation to keep a record of the time, date and means through which a person has given his or her consent, and to respect the individual's wish to withdrawal at any time. Any business, charity or government agency that doesn't currently conform to these new regulations will have to bring their protocols into compliance. For many companies, the implementation of best–practice standards has made this transition a whole lot easier.
Data storage systems or backups/roll back systems must be developed so as to protect data and maintain its privacy. Organisations may need to complete a legacy data audit to ensure that any personal data held by a processor or controller does so in line with the GDPR. This will enable organisations to identify where consent was granted correctly and delete records where consent was not or cannot be obtained.
The category that constitutes private data within the EU has become a whole lot broader under the GDPR. In response to the type of information that companies now gather from individuals, information about a user's computer and location, as indicated by an IP address, will now be considered private data. Other information, such as the financial, psychological or ethnic history of an individual, would also be defined as personal information. Anything that could be used to identify an individual would qualify.

Personal data is defined as anything that can identify a 'natural person' - a living human, either directly or indirectly, and can be anything such as; a name, photo, email address - which includes work email, bank details, medical information biometric and genetic data or even a computer IP address.

A person can request to see his or her private data at reasonable intervals, as defined by the GDPR. Under the new law, controllers are obligated to respond to a user's request within 30 days. The new regulations also require controllers and processors to maintain policies of transparency regarding the means through which data is gathered, used and processed. The language used to explain these processes to people must be worded in simple, clear layman's terms and not be littered with confusing jargon. It can't read like a formal, legal document.
Each individual is entitled to access any private data held by a company. Furthermore, each individual has the right to know just how long his or her information will be stored, which parties will get to view it and the reasons for which the data is being used. Whenever possible, controllers will be encouraged to offer secure viewing access for any account holder who wishes to see his or her personal information, as held in a company's database. People will also be able to request that incorrect or incomplete data be corrected at any time.
A person can request that his or her data be deleted at any time, for any reason, under a clause of the GDPR known as the "right to be forgotten." If an individual feels that his or her data is no longer essential for the original purpose of its collection — such as when an address is collected to verify that a person meets the geographical requirements for participation in a contest or survey — a request can be made to have the information removed from a database.
When a request to be forgotten has been made, the controller is obligated to inform Google and other data–gathering organizations that all copies and links to said data must be deleted. The risk of having dormant personal info leaked to third–party marketers will be greatly minimized under the new law.
Organisations can only charge if the Subject Access Requests are instituted without sufficient grounds and serving only to cause annoyance to the organisations. The GDPR allows you to exceptionally charge an administrative fee for unfounded, excessive or repetitive request. Organisations are also able to refuse to respond to the request, but you must be able to demonstrate the unfounded, excessive or repetitive nature of the request.

Breaches and Breach Notification

Any organization that collects the private data of users is required to report news of a data breach to a protection authority. The news must be reported within 72 hours of when the breach first becomes known to the organization. In the United Kingdom, the Information Commissioner's Office (ICO) serves as the authority on such matters.
Failure to notify the data protection authority within 72 hours could result in a fine of as much as 2% of a company's global annual revenue, or a fine of £10 million — whichever happens to be the larger amount. Compared to previous ICO fines, which only went as high as £500,000, the penalties under the GDPR are far stricter.
The 72–hour deadline to report a breach will not always give an organization enough time to learn the full nature of a particular offense, but it should provide sufficient time to gather adequate information for the authority about the kind of data that will be affected by said breach. Just as importantly, an organization should be able to give a rough estimate of the number of people that will be impacted by the breach. This way, potentially affected parties will have more time to react.
You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals. If unaddressed such a breach is likely to have a significant detrimental effect on individuals – for example, result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. This has to be assessed on a case by case basis. For example, you will need to notify the relevant supervisory authority about a loss of customer details where the breach leaves individuals open to identity theft. On the other hand, the loss or inappropriate alteration of a staff telephone list, for example, would not normally meet this threshold.
If an organization fails to abide by the core principles of the GDPR — such as gaining the consent, respecting the rights, and obeying the requests of individuals — the organization could face fines twice as high as those imposed for failure to report a data breach. Under the GDPR, the fine for failing to follow the new law could be as high as 4% of a company's global revenue, or a fine of £20 million — whichever happens to be the larger amount.
Until the UK actually withdraws from the EU, companies based in England, Scotland and Wales will still have to be in full compliance with the new laws. British citizens, meanwhile, will be protected under the GDPR until Brexit takes effect. Once the UK has completed its exit from the EU, British companies will still be required to follow the new regulations when handling the private data of EU citizens.
The GDPR has direct effect across all EU member states. This means organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives member states limited opportunities to make provisions for how it applies in their country. One element of the DPA 2018 is the details of these. It is therefore important the GDPR and the DPA 2018 are read side by side.

What Is ISO 27001:2013?

Organizations around the world that have studied the GDPR are likely aware that the regulations are an encouragement to adopt best–practice schemes.
ISO 27001 is an information security standard that helps companies come into compliance with international best–practice models. The standard covers three key components of data security:

When steps are taken to safeguard data with these three components in mind, businesses are better equipped to protect information, mitigate risks and rectify procedures that are deemed ineffective. As such, a growing consensus has emerged in the corporate sector that deems ISO 27001 to be the gold standard in best–practice schemes.
By putting the ISO 27001 standard into effect, an organization activates an information security management system (ISMS) that works within the business culture of the company in question. The standard is regularly updated and enhanced, and these ongoing improvements allow the ISMS to stay abreast of changes both within and outside of the company, all the while spotting and eliminating new risks.
If you've already achieved certification to ISO 27001:2013, you may have noticed some similarities between that standard and GDPR.

How can ISO 27001:2013 help?

It’s designed to support the confidentiality, integrity and availability of your information and help you maintain legal compliance. It helps you to protect your data from cyber-crimes, misuse, fire, theft and other threats.
Having certified ISMS in place will give your customers more confidence in your company as well as improve your relationships with other stakeholders and help you to mitigate risk.

A common example of “Confidentiality” would be an online transaction conducted over secure methods, such as the use of encryption, whereby information is protected via HTTPS.
As for “Integrity”, an example would be the trustworthiness of customer financial account information (i.e., bank accounts, personal information) held by a bank for conducting daily operational transactions.
As for “Availability”, this could pertain to a bank’s customer facing web servers that host the online banking portal, for which customers can access any time of the day.

Is ISO 27001:2013 Enough?

While there are some areas covered under the GDPR that are not controlled under the ISO 27001 standard — such as the right of a data subject to have his or her data moved or deleted — the standard covers most of the requirements of the new law by virtue of the fact that private data is recognized as an information security asset under ISO 27001. As such, the standard and the new regulations share like–minded views on data security.
ISO 27001 has a broader scope than GDPR in that it applies to a company's critical data as well as to personal data. The ISO standard can be used to protect personal data as well as other information. GDPR also covers several areas that ISO 27001 doesn't, such as the right to be forgotten, data portability and the right to be informed about your personal data.
ISO 27001 doesn't explicitly address these rights, but an ISMS can support you in meeting these requirements. Because ISO 27001 doesn't specifically include these rights, being certified to it doesn't necessarily ensure that you're also GDPR-compliant. It will certainly support you in your GDPR compliance goals and bring you closer to reaching them.
Because the two standards have some differences in what they cover, all ISO 27001-certified companies impacted by GDPR should conduct a gap analysis. This assessment, which NQA can perform, will provide you with information about where you are now and what you need to change to comply with GDPR. It identifies the gaps between your current systems and the ones you want to follow.

Download mapping table, please note: This mapping table does not constitute as legal advice for meeting the European General Data Protection Regulation (EU GDPR) requirements.

Upon reviewing the mapping table, please note that the ISO 27001 controls without the prefix ‘A’ are in the main body of ISO/IEC 27001:2013. Those prefixed with ‘A’ are listed in Annex A of ISO 27001:2013 and are explained in more detail in ISO 27002:2013 – a supplementary guideline standard on information security controls.

Reviewed by: Tim Pinnell, NQA Information Security Assurance Manager 12/18/2020