ISO 27001 and General Data Protection Regulations (GDPR) are related in the sense that they’re concerned with data security and share many common themes.
ISO 27001 accreditation demonstrates that your business has systems in place to protect corporate information and data. However, implementing the ISO 27001 Management System does not necessarily mean that you have fulfilled your responsibilities as a business handling personal data in accordance with GDPR. We’ll explore this and lots more in our article, so let’s get to it!
GDPR vs ISO 27001: What’s the difference?
It’s a common misconception that ISO 27001 and GDPR cover the same thing, but there are two main differences between the two.
The ISO 27001 Standard enables your business to maintain processes and procedures that strengthen compliance with information security which is known as an Information Security Management System (ISMS).
GPDR is a set of laws that governs the use and processing of personal data for businesses. The main difference between ISO 27001 and GDPR is the legal status of the two. GDPR is a legal requirement that requires adherence at all times. Failure to maintain compliance with these requirements can result in costly legal fines from the Information Commissioner’s Office (ICO) of up to 4% of annual global turnover.
What are the GDPR principles?
GDPR regulations are split into seven guiding principles which cover the general aims of the framework.
- Lawfulness, fairness and transparency
- Purpose limitation
- Accountability
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
The regulations consider why personal information is collected, how long it’s kept and the way in which it’s stored.
The second difference is the formation of the two. Whereas GDPR regulations only came into force in 2018, ISO 27001 was established way before this, therefore compliance with the regulations wasn’t considered a factor during the construction of the ISO 27001 framework. The benefits of ISO 27001 in relation to GDPR is that whilst GDPR is a legal requirement it has limitations as it only focuses on personal data. ISO 27001 encompasses lots of different approaches to enhance the security of data across the whole of your business.
What are data subject rights?
A person – called a data subject in the regulation – has a number of rights when it comes to companies storing, accessing or using their personal information. These rights take into account special cases such as sensitive information and records held on children. The GDPR sets out these rights and describes your responsibilities as an organisation to uphold them.
What are my GDPR obligations?
It’s an important part of the regulation that you can prove your adherence to it. You should also be able to deal with any issues – such as breaches of information security – appropriately and according to the steps specified in the regulation. Companies that regularly process large amounts of personal data, or handle special data categories such as criminal convictions, must assign a Data Protection Officer (DPO). The DPO will be responsible for proving and ensuring that your organisation complies with data protection laws and practices.
How ISO 27001 helps you comply with GDPR
But, the big question is, does ISO 27001 cover GDPR? Well, there are a number of crossovers that are taken into account when your business is audited for ISO 27001 certification. Our ISO auditor will inspect areas within your organisation to determine if they comply with the criteria set out in the ISO 27001 Standard, and also with GDPR guidelines.
A big plus is the ISO 27001 certification process will give you insight into the areas which aren’t compliant with GDPR.
The following information is provided for guidance and is based on a fully integrated, well-managed ISO 27001 management system that already incorporates ISO 27001 controls and processes for handling personal information.
To determine how well your management system covers GDPR, we would always recommend a gap analysis be performed.
Principles
- Lawful, fair and transparent processing – Partial coverage by ISO 27001
- Data should be used as specified – Partial coverage by ISO 27001
- Data should be limited to what is necessary for the specified use – Partial coverage by ISO 27001
- Data should be accurate – Partial coverage by ISO 27001
- Keep data that can identify individuals for no longer than necessary – Partial coverage by ISO 27001
- Data should be protected at all times – Full coverage by ISO 27001
For further information please refer to ISO 27001 Clause 6, ISO 27001 Annexes 6.1.5, 7.2.2, 8.1, 8.2, 8.3.2, 12.3, 14.1.1, 16 and 18.1.4
Data subject’s rights
- The right to be informed – Partial coverage by ISO 27001
- The right to object – Partial coverage by ISO 27001
- The right to erasure – Partial coverage by ISO 27001
- The right to restrict processing – Partial coverage by ISO 27001
- The right of access – No coverage by ISO 27001
- The right to data portability – Partial coverage by ISO 27001
- The right to rectification – Partial coverage by ISO 27001
- Rights regarding automated decisions and data profiling – No coverage by ISO 27001
For further information please refer to ISO 27001 Clause 6.1.2, ISO 27001 Annexes 8.3.2, 12.3, 14.1.1, 16 and 18.1.4
Data Protection Obligations
- Information security breach notification – Full coverage by ISO 27001
- Restrictions on gathering children’s data – Partial coverage by ISO 27001
- Specific and informed consent to gather data – Partial coverage by ISO 27001
- Assignment of a Data Protection Officer – Partial coverage by ISO 27001
- Protection of data accessible by suppliers – Full coverage by ISO 27001
- Performance of risk assessments – Full coverage by ISO 27001
- Performance of a Data Protection Impact Assessment – Partial coverage by ISO 27001
For further information please refer to Clauses 5.3, 6.1.1, 8 and 9.1, Annexes 8.2.3, 8.3.2, 12.1.1, 14.1.1, 15.1, 16, 18.1.3 and 18.1.4
We can help you to achieve ISO 27001 certification
While gaining ISO 27001 certification does not provide coverage across all areas of the GDPR, it remains a valuable tool when it comes to protecting corporate information assets because it provides evidence of how you manage information and meet legal obligations, ensuring that information remains safe and secure at all times.
With ISO 27001 you can be confident that you have implemented best-practice security practices which will help you to improve resilience – protecting information assets from being lost, stolen or corrupted. The Standard will also help you to manage your ongoing commitments when it comes to remaining compliant with the GDPR because it is strongly focused on continual improvement, helping you to increase customer confidence through the practice of reviewing and improving your ongoing information security processes.
To find out more or to speak with a Certification Development Consultant, please call 0333 344 3646 or contact us online with any queries you may have. Alternatively, you can try our online fee calculator.
We also have lots more helpful online resources for further reading about ISO 27001 and ISO management systems. Check out our dedicated blogs below.
How does ISO 27001 help to protect your organisation?