What are the similarities between GDPR & ISO 27001?
The two standards have a lot in common, most of them related to information security. Here are the main ones:
- Confidentiality, availability and integrity of data.
Article 5 of the GDPR defines the general principles for data processing, such as protection against unauthorised or illegal processing, accidental data loss, destruction or alteration. Article 32 specifies that companies must put in place the technical and organisational measures to ensure data security: encryption, resilience of processing systems, ability to quickly restore the availability of personal data, etc.
Similarly, several controls in ISO 27001 are intended to help companies ensure the confidentiality, availability and integrity of data. Clause 4 states that they must identify the internal and external factors that can impact their safety programs. Clause 6 requires them to determine their IT security objectives and create an ad hoc program. Clause 8 defines standards for the ongoing maintenance of their safety program and requires them to document the program to demonstrate compliance.
- Risk assessment
Both GDPR and ISO 27001 require a risk-based approach to data security. Article 35 of the GDPR requires companies to carry out data protection impact assessments and to identify risks to personal data. These assessments must be made before any processing of high-risk data, especially for highly sensitive data.
- Evaluation des risques
ISO 27001 also advises companies to make rigorous assessments to identify threats and vulnerabilities that may affect assets (clause 6.1.2), and to take appropriate security measures (clause 6.1.3).
- Stakeholder management
Clause 8 of ISO 27001 requires companies to identify the processing actions that are outsourced and to ensure that they remain under control. Clause 15 provides specific guidelines for supplier relations and requires companies to monitor and evaluate suppliers’ level of service.
Similar issues are covered by Article 28 of the GDPR, which requires data controllers to secure processor contractual terms and assurances with a “data processing agreement”.
- Notification of security breaches
According to Articles 33 and 34 of the GDPR, companies must inform the supervisory authorities within 72 hours of the discovery of a security breach of personal data. Data subjects must be notified without delay, but only if the data represent a “high risk to the rights and freedoms of data subjects”.
Clause A.16 of ISO 27001 does not specify a time limit for notification of security breaches, but stipulates that companies must promptly report any security incidents and communicate in order to facilitate prompt corrective action.
- Data protection from the design stage and by default
Article 25 of the GDPR stipulates that companies must put in place the technical and organisational measures during the design phase of any project, in order to guarantee data confidentiality rights from the outset (“data protection from the design stage”). In addition, companies must protect the confidentiality of data by default and ensure that only the information necessary for each processing purpose is used (“data protection by default”).
In ISO 27001, similar requirements are described in clauses 4 and 6. Clause 4 requires companies to understand the scope and context of the data they collect and process, while Clause 6 recommends that they conduct regular risk assessments to ensure the effectiveness of their safety management program.
- Preservation of histories
Article 30 of the GDPR requires companies to keep records of their processing activities, including the category of data, the purpose of the processing, and the general description of technical and organisational security measures.
ISO 27001 requires companies to document their security processes, as well as the results of their security and processing risk assessments (clause 8). Information must be stored and classified, data owners must be designated and procedures for the acceptable use of data must be defined.
Does compliance with ISO 27001 guarantee GDPR compliance? As we have seen, ISO 27001 certification can simplify the GDPR compliance process. However, there are several differences between the two standards. The GDPR is a global standard that provides companies with a strategic vision of how they should ensure data confidentiality. ISO 27001 is a set of good practices with a focus on information security. The standard provides practical advice on how to protect information and reduce cyber threats. Unlike the GDPR, it does not directly address the following data confidentiality issues (found in Chapter 3 of the GDPR on “The Rights of Data Subjects”):
- Consent: Data controllers must prove that the data subjects have given their consent to the processing of their personal data (Articles 7 and 8). The request for consent must be made in an easily accessible form, with the purpose of the data processing clearly described. Data subjects also have the right to withdraw their consent at any time.
- Data portability: data subjects have the right to obtain and reuse their personal data for their own purposes and for different services, and to transmit this data to another controller without hindrance to use.
- Right to forget: individuals have the right to have their personal data deleted and to stop any further dissemination without delay.
- Right to processing restriction: individuals have the right to limit the way an organisation uses their personal data if the data have been processed unlawfully or if the individual disputes the accuracy of the data.
- Right of opposition: the data subject has the right to object to the processing of data for marketing, research or statistical purposes (Article 21).
- International transfer of personal data: organisations must ensure that international data transfers are made in accordance with the rules approved by the European Commission (Article 46).
The GDPR focuses on data confidentiality and the protection of personal information. It requires companies to deploy the necessary means to obtain explicit consent to collect data and to ensure that such data are processed in a lawful manner. However, it does not provide technical details on how to maintain an adequate level of data security or to reduce internal and external threats. In this respect, ISO 27001 provides answers: the standard provides practical guidance on how to develop clear and comprehensive policies to reduce the risks that can generate security incidents.
Although ISO 27001 compliance does not guarantee GDPR compliance, it can be a very interesting step. Companies should therefore consider the possibility of obtaining ISO 27001 certification to ensure that their security measures are strong enough to protect sensitive data.