The new European General Data Protection Regulation (GDPR) will come into full force in May 2018. Apparently, the implications are global, meaning that any company that processes personal data of natural persons within the EU, no matter where they reside in the world, will fall within the scope of the GDPR.
A question being asked by many ISO 27001 certified organizations is, “if we already have ISO 27001, are we covered for the GDPR?”. This is a good question, and if you want the short answer, it is probably, “no”. For a longer answer, feel free to read on.
GDPR vs. ISO 27001
The general response I am seeing from most experts when asked this question is, “no, the GDPR is much bigger and broader than that.” They go on to explain that ISO 27001 is one good way to go in order to help your organization to comply, but as it stands, it is not enough.
Whilst I don’t disagree with this opinion in general, I do think it is worth clarifying that actually, GDPR is not “bigger” or “broader” than ISO 27001 in itself (other than the fact that it is a law). If you have ISO 27001, and if your implementation has been properly focused on information privacy, the freedom of information, and human rights, and is of course aligned with current Data Protection laws and good practices, then you may well be very close to the goal post already.
You are likely missing aspects that are specific to the new regulation, however, such as having a “Data Protection Officer” or having sufficient contractual coverage in place when transferring data outside of the EU, but these are still aspects that are well within the scope of ISO 27001.
As to the question whether your current ISMS is sufficient, if you have approached the implementation and operation of your ISMS with a genuine interest in assuring the privacy of personal information that your organization collects, uses, and stores, then you probably do already stand in good stead. Full compliance – unlikely, but perhaps not so far off.
So what do the experts really mean when they say that ISO 27001 isn’t enough? Well, I believe what they are actually referring to is the more likely scenario where ISO 27001 certified companies are operating an ISMS that is meeting only the minimum requirements of the standard, has been ticking boxes in order to keep their certificate, and/or has a lack of top management direction and support for things like privacy and the rights of an individual with regard to their personal information.
Yes, there are plenty of companies in the world who simply have certification because they need to win projects, tick a box, or simply because the IT manager wanted to list it as an achievement on their resume.
Have a look around at companies who have an IT only scope. Clearly, they aren’t going to have been able to consider the flow or use of personal information throughout the organization (since they excluded everything relevant) and therefore, an existing ISMS is going to fall well short of the newly mandated GDPR requirements.
If you have been viewing ISO 27001 simply as a technical standard or framework, then I am going to have to agree that the GDPR is much bigger than your ISO 27001 implementation.
However, all is not lost, as any ISO 27001 implementation will surely go some way in helping to address GDPR principles and requirements when it comes to the preservation of the confidentiality, integrity, and availability of personal information and clearly the framework that is in place can be extended to be inclusive of a much wider and relevant scope.
In a nutshell, most ISO 27001 implementations are not going to cover all of your GDPR requirements. There is going to be plenty of work to do, even for the best of ’em. But it certainly will aid in your compliance journey and provides a great framework for managing data privacy within an organization should you so chose it.
Agree? Don’t agree? Got a question or comment about the GDPR or ISO 27001? Comment below. Thanks for reading!