GDPR and ISO 27001 - how do they map?
Key changes and how they map to ISO 27001
So what are the key changes? Below are a list of relevant changes and how these changes relate to ISO 27001; however this is by no means definitive:
The way individuals are identified encompasses others factors such as their genetic, mental, economic, cultural or social identity. Companies will need to take measures to reduce the amount of identifiable information they store. Parental consent will be required to process the personal data of children under 16 years old.
Clear policies should be in place with regards to handling of individual identifiable information, with clearly defined retention timescales. ISO 27001 Annex A Control Measures specifically A.18.1.4 – Privacy and Protection of Personally Identifiable Information, mentions compliance obligations relating to the privacy and protection of personal information (formally known as Personally Identifiable Information PII).
Organisations not based in the EU that do business in the EU with EU subjects data will also be required to comply with the regulation.
The regulation has a global reach – If the organisation has customer/clients in the EU they must also comply with the regulation, especially if they collect personal information. Again covered in A.18.1.4.
Clear and affirmative consent to the processing of personal data must be sought. Inactivity or silences are no longer valid forms of consent.
There is a requirement to request informed consent for processing or stop processing! Demonstration of this fact must be available. Defined procedures and records must be in place to show this. A number of control measures are relevant here; A.8.2.3 – Handling of Assets, A.12.1.1 – Documented Operating Procedures, A.18.1.3 – Protection of Records, A.14.1.1 – Information Security Requirements Analysis and Specifications, A.8.3.2 – Disposal of Media.
If a breach occurs that is likely to represent a risk to the freedom of the data subjects in question the organisation must report this to their data protection authority (Information Commissioners Office –ICO) within 72 hours, unless there are exceptional circumstance which must be justified. If the risk is high the data subject must also be notified however a specific timescale detailing when this must happen has not been detailed.
Breaches must be reported as soon as determined to be a breach not just a false alarm. Security incidents are referred to in section A.16 – Information Security Incident Management. Control measure A.18.1.4. - Privacy and Protection of Personally Identifiable Information
Data Protection impact risk assessments have become mandatory before undertaking higher-risk data processing activities. Where privacy breach risks are high, data controllers will be required to conduct privacy impact assessments to analyse/minimise the risk to the data subject.
ISO 27001 or an Information Security Management System is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes. The planning clause of the standard, clause 6 details actions to address risks and opportunities, more notably 6.1.2. – Information Security Risk Assessment and 6.1.3. – Information Security Risk Treatment. Control measure A.8.2.1 – Classification of Information.
Certain companies will be mandated to appoint a Data Protection Officer (DPO). Article 35 of the GDPR states that DPO’s must be appointed for all public authorities. This will also be the case where the core activities of the controller or processor involve “regular and systematic monitoring of data subjects on a large scale” or where the organisation conducts large scale processing of “special categories of personal data”. Credentials for this role have not been specified however the GDPR require that DPO’s have “expert knowledge of data protection law and practices”.
The responsibilities and authorities for roles relevant to information security should be assigned and communicated as stated in clause 5.3 – Organizational Roles, Responsibilities and Authorities. A.6.1.1 – Information Security Roles and Responsibilities also applies.
Data subjects have the right to be forgotten, where information relates to their identity must be erased or destroyed.
This is a form or withdrawing consent and implies system and process control requirements to enable erasure of specific stored information and demonstrate/record this function. This can also relate to archives or backups. Relevant controls include; 6.1.2 Information Security Risk Assessment, A.14.1.1 – Information Security Requirements Analysis and Specifications, A.8.3.2 – Disposal of Media, A.16 – Information Security Incident Management, A.12.3 – Backup.
Data processors can be held liable for breaches and will direct legal obligations and responsibilities. Contractual arrangements will need to be reviewed and updated. The stipulation of responsibilities and liabilities between the controller and processor will be an important factor in future agreements as parties will need to document their responsibilities more clearly.
Privacy and Information security aspects much be addressed when managing relationships with business partners. This could include for example; joint investigation of data breaches, resolving privacy incidents and achieving & maintaining an assured level of GDPR compliance. Numerous clauses and control address this issue such as; 5.3 – Organizational Roles, Responsibilities and Authorities, 9.1 – Monitoring, Measurement, Analysis and Evaluation, A.13.2 – Information Transfer, A.15 – Supplier Relationship, A.16 - Information Security Incident Management, A.18 – Compliance.
The principle of privacy by design must become a cornerstone to the way processes are built. Systems and processes must consider compliance with the principles of data protection under GDPR. Privacy by design is in essence – privacy in a service or product should be taken into account from inception rather than the point of delivery.
Privacy by design and by default are examples of privacy principles underpinning each aspect of the project – specification, design, development, operation and maintenance. This includes relationships with third parties such as Internet Service Providers. Clause 6 – Planning and almost all of the control measures in Annex A apply.
Increased penalties and consequences
Under the GDPR the upper limit could reach €20 Million or 4% of the annual global turnover of an organisation - whichever is higher. For some business this could posed a threat of bankruptcy or even closure.