This post was first published on my corporate blog
The EU adopted a newly harmonized data protection law called the General Data Protection Regulation (GDPR) during May 2016. As of May 25, 2018, the GDPR will be a directly applicable law in all member states within the EU and the European Economic Area (EEA). While the GDPR does not introduce many substantially new concepts, it increases the compliance requirements of data controllers and personal data processors. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organization is actively managing its data security in line with international best practice.
What’s the difference between GDPR and the Data Protection Act?
There are considerable differences between the Data Protection Act and GDPR. The GDPR is explicitly risk based, the risk being to the fundamental right of a person with regard the processing of personal data – data controllers and processors must manage that risk. In contrast the Data Protection Act implies management of risk. The core difference between the Data Protection Act and GDPR is that the Data Protection Act applies only to the UK while the GDPR applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens. The Data Protection Act is enforced by the Information Commissioner’s Office (ICO) while the GDPR compliance will be monitored by a Supervisory Authority in the UK with each European country having its own Supervisory Authority.
Non-compliance of the Data Protection Act can result in fines of up to £500,000 or 1% of the annual turnover. While for the GDPR, the potential penalties for non-compliance are much more severe with fines of up to €20 million or 4% of the businesses annual global turnover. In the case of the GDPR, a Data Protection Officer is mandatory for any business or organization with more than 250 employees. Under the Data Protection Act, in the current legislation there is no need for any business to have a dedicated Data Protection Officer. Any data breach must be reported to the Supervisory Authority within 72 hours of the incident under the GDPR, while in the Data Protection Act, businesses are under no obligation to report data breaches, though they are encouraged to do so.
Protection Impact Assessments (PIAs) are not a legal requirement under the Data Protection Act but in GDPR,
PIAs will be mandatory and must be carried out when there is a high risk to the freedom of the individual. Under the DPA , data collection does not necessarily require an opt-in under the current Data Protection Act.
The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time.
|DATA PROTECTION ACT||GDPR|
|Applies only to the UK||Applies to the whole of EU and, crucially, also to any global company which holds data on EU citizens.|
|Non-compliance can result in fines of up to £500,000 or 1% of the annual turnover||Non-compliance is much more severe with fines of up to €20 million or 4% of the annual global turnover|
|A dedicated Data Protection Officer is not mandatory||A Data Protection Officer is mandatory for any business or organization with more than 250 employees|
|No obligation to report data breaches, though they are encouraged to do so||Any data breach must be reported to the Supervisory Authority within 72 hours of the incident|
|Enforced by the Information Commissioner’s Office (ICO)||Monitored by a Supervisory Authority in the UK with each European country having its own supervisory authority.|
|Protection Impact Assessments (PIAs) are not a legal requirement||PIAs will be mandatory and must be carried out when there is a high risk to the freedom of the individual|
How are EU GDPR, ISO 27001 and 27018 related?
ISO 27001 is a framework that in essence requires a risk based approach to the management of critical and sensitive data and information and their associated supporting assets. The GDPR is about managing the risk to the fundamental right that a natural person has regarding personal data. Both are risk orientated and require the identification of risk, and planning and implementation of the necessary controls to modify levels to an acceptable level. ISO 27001 includes encryption of personal data and as part of the business continuity planning the ability to restore and recover information and data in a timely manner.
According to the GDPR, personal data is critical information that all organizations need to protect. However, there are some EU GDPR requirements that are not directly covered in ISO 27001, such as supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. If an organization stores processes personal data in the cloud, it can also use ISO 27018 to cover many GDPR requirements. Therefore, if the implementation of ISO 27001 identifies personal data as an information security asset, and those that stores/processes personal data in the cloud follow ISO 27018 recommendations, most of the GDPR requirements will be covered.
The ISO 27000 series of standards provide the means to ensure this protection. There are many points where the ISO 27001 and ISO 27018 standards can help achieve compliance with this regulation. Listed below are a few of the most relevant ones:
- Because of the high fines defined in GDPR and the major financial impact on organizations, it will be natural that the risk found during risk assessment regarding personal data is too high to not be dealt with. On the other side, one of the new requirements of the GDPR is the implementation of Data Protection Impact Assessments, where companies will have to first analyze the risks to their privacy, the same as is required by ISO 27001. While implementing ISO 27001, personal data must be classified as high criticality.
- By implementing ISO 27001, it is mandatory to have a list of relevant legislative, statutory, regulatory, and contractual requirements. If the organization needs to be compliant with GDPR, this regulation will have to be part of this list.
- Breach notification – Companies will have to notify data authorities within 72 hours after a breach of personal data has been discovered. The implementation of ISO 27001 will ensure a consistent and effective approach to the management of information security incidents, including communication on security events. According to GDPR, data subjects will also have to be notified, but only if the data poses a high risk to data subjects’ rights and freedom. The implementation of incident management, which results in detection and reporting of personal data incidents, will bring an improvement to the organization wishing to conform to GDPR.
- Asset management – The ISO 27001 leads to inclusion of personal data as information security assets, and allows organizations to understand what personal data is involved and where to store it, how long, its origin, and who has access, which are all requirements of the GDPR too.
- The adoption of Privacy by Design, a GDPR requirement, becomes mandatory in the development of products and systems. ISO 27001 ensures that information security is an integral part of information systems across the entire lifecycle.
In a nutshell, the GDPR mostly deals with personal data collection, while ISO 27001 helps ensure that this collection of confidential data is secure. Also, the GDPR will expand on Data Protection Act and it’s focused on looking after the privacy and rights of the individual, and based on the premise that consumers and data subjects should have knowledge of what data is held about them, how it’s held, and other core information that the Data Protection Act did not demand.