How ISO 27001 supports GDPR compliance

It makes good business sense to manage information well. With high levels of information security, you will improve your company’s brand reputation, boost customer and employee trust, and save time and money by ensuring personal information is accurate, relevant, and secure. 

 The GDPR was created with today’s technology in mind, bringing data protection regulation into the twenty-first century and strengthening people’s privacy rights, providing them with more control. 

 A number of possible and real security breaches have been disclosed in recent years. When these are reported and examined by the Information Commissioner’s Office (ICO), their first action is to check on information security governance procedures, particularly whether an organisation has a Senior Information Risk Owner (SIRO) and/or Data Protection Officer. 

 As a data controller, you need to assess your high-level compliance with data protection legislation which includes the new rights of individuals, handling subject access requests, consent, data breaches, and designating a data protection officer responsibilities, under the General Data Protection Regulation. 

 GDPR auditing can help by mapping and recording the flow of your company’s personal data, from start to finish, making it possible to identify non-compliance issues with the Data Protection Act. It’s vital for companies to have an effective means of monitoring, reviewing and auditing their compliance with legislation. 

So what are some of the benefits that ISO 27001 brings to GDPR compliance?

Note:- in the near future we will be issuing guidance on the relationship between GDPR and the new ISO 27002 information security controls.  If you want a notification sign up to our alerts. 

1 – Project management controls introduce Project By Design, a GDPR requirement for the development of systems and products. 

2 – Asset Management assists in understanding the personal data assets that are held and assess the importance of those assets i.e. Confidentiality, Integrity and Availability requirements. 

3 – Supplier management identify which suppliers support the processing of personal data and the safeguards they have in place.

4 – Incident management procedures help to reduce the impact of a breach and implement procedures to prepare, detect, contain, eradicate, recover and report. 

5 – Access Controls introduces regular checks to ensure those who have access may have access, including suppliers. 

6 – Destruction and Records Management ensures that personal data is not held longer than necessary and that it is destroyed in a secure manner.

 

Additional benefits include:

> You can prove to your clients, stakeholders and suppliers that you are serious about data protection. Following personal data breaches, numerous organisations have had to sign  a written undertaking to the ICO regarding personal data losses, which the Commissioner and, in certain cases the media, then publish.

> GDPR compliance means you will have put technical steps in place to reduce the risk of a serious breach, giving customers more confidence.

> You will have policies and procedures in place and clear guidance on how they should be used.

> Many breaches happen due to employee error or action – with GDPR compliance in place you will provide staff training and awareness programmes to remind them of their obligations.

> You will have to provide evidence to the ICO that data protection is a high priority within your organisation, which in turn improves your information security reputation.

 

In addition, a full and complete end-to-end GDPR Audit will:

> Provide independent assurance of compliance

> Verify that your “data protection” system works and is effective

> Deliver a measurement of compliance and actions to plug any potential gaps

> Identify key risks, define mitigations, and find potential future threats

> Increase awareness of data protection among employees and management

 

How can we help? 

Find out more about our GDPR Consultancy services and our GDPR Audits.