Facilitating the Iso Framework to Help With Privacy Compliance Laws

Privacy is the new buzzword. People have become increasingly aware of privacy rights in the last few years and expect that businesses protect their personal data. It is becoming increasingly important for leaders to ensure that data protection is built into their company products and services.  They need to be proactive in complying with various data protection laws, failing to do so can lead to hefty fines, a negative public image, and eventually a huge loss of money.

According to Gartner, currently, 10% of the population is covered by modern privacy laws which are going to increase to 65% by 2023. GDPR (General Data Protection Regulation) is one of the most comprehensive data protection laws introduced in 2016 which aims at providing data protection to European Union citizens. Other countries have also introduced data protection laws and numbers are constantly increasing. Looking at the need to comply with various laws and the huge penalties associated, more and more organizations are considering a comprehensive privacy program that can adapt well to various privacy regulations. The requirements of cybersecurity and the privacy laws overlap at many points, and organizations can leverage their current cybersecurity posture to enhance their privacy.

Leveraging the ISO 27001 Framework

One of the most known and used cybersecurity standards implemented in many organizations is ISO 27001. The standard presents a framework for all businesses large and small for cybersecurity management. ISO 27001 applies various information security processes in the organization and these can help in managing GDPR related requirements with ease.

By implementing the ISO 27001 with privacy in mind you can benefit and save the effort of meeting privacy requirements presented by different laws. Many of the privacy laws and ISO 27001 have similar if not identical requirements, such as risk assessment/privacy risk analysis, written procedures, asset mapping, classification, etc.

By defining the right assets as part of the ISO efforts you will gain both information security and achieve privacy compliance. Some examples of how GDPR and ISO 27001 are similar and how the ISO framework can be leveraged to meet GDPR requirements:

• Technical and Organizational measures: Article 24 of the GDPR specifies that organizations shall adhere to codes of conduct and have technical and organizational measures to demonstrate that processing is performed in accordance with GDPR. ISO 27001 can be used as a component to demonstrate compliance with this requirement of GDPR.
• Vendor management: GDPR Article 28 requires that the processors shall implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Regulation. ISO 27001 Annex A.15 specifies the requirements that an organization shall meet to protect the organization’s assets that are accessible to or affected by the vendors. The vendor management framework of ISO 27001 can be leveraged to meet this requirement of GDPR.
• Security of Processing: GDPR Article 32 requires that the organizations implement technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data. The ISO 27001 requirements overlap with the requirements of GDPR Article 32 at a lot of places. An effective Information Security Management System (ISMS) created based on the requirements of ISO 27001 can be leveraged to meet all the requirements of this article.
• Breach notification: GDPR Articles 33-34 requires that the organization shall inform the supervisory authority and the data subject of any data breach. ISO 27001 A.16 requires that a consistent and effective approach to the lifecycle of incidents, events, and weaknesses is followed. If you set up incident management processes in your organization as per ISO 27001, you can easily handle the requirements of GDPR Article 33-34.
• Record Keeping: GDPR Article 30 requires that the organization shall maintain a record of processing activities under its responsibility. ISO 27001 A.8 requires that the organization identifies information assets in scope for the management system and defines appropriate protection responsibilities. With this goal in mind, the records should show why and how the data is being processed.

In addition, the ISO organization has introduced ISO 27701 which is a Privacy Information Management System (PIMS). ISO 27701 is not a standard by itself but an accredited extension to the existing information security standard ISO 27001. ISO 27701 is designed to cover privacy laws and regulations around the world. Complying with ISO 27701 can support your organization in meeting the regulatory requirements and manage privacy risks related to Personally Identifiable Information (PII).

So if you start your ISO 27001/27701 journey with privacy compliance in mind, you will meet some of the requirements of the new privacy laws. This will save you a lot of effort and your organization will be more than ready whenever a new privacy law is introduced and with a little tweaking, you will be good to go.

When starting your ISO 27001 project or renewing it, think not just about security but also about privacy. Define assets that are PII (personal identification information) as assets to protect. For those of you who already have ISO 27001, make sure to check the latest privacy ISO 27701 for privacy information management that can be implemented as an extension to your current ISO 27001.

Get in touch with GRSee Consulting regarding ISO 27001 and ISO 27701 projects.