The Certification Europe Roadshow packed its bags last week and headed south-west to Co. Cork on the second stop of the ISO 27001 Roadshow INFOSEC vs GDPR. The venue for our second seminar was the Clayton Hotel located just off the River Lee.
The line-up consisted of Michael Brophy (CEO of Certification Europe) and Brian Honan (BH Consulting), with special guest speaker Sean Griffin of Poppulo (formerly Newsweaver).
Brian Honan kicked off the seminar discussing the four-letter abbreviation that is having many organisations break into a cold sweat – GDPR, the General Data Protection Regulation.
Brian began his talk explaining how the new regulation is more stringent on consent and that users have more control over their data. Consent from the user must be clear and the user must know exactly what they are signing up for. Organisations must provide a clear definition around what they will be doing with the data. Users will now have the right to be forgotten and have the option to edit their data. Now obviously there are exceptions to this rule; you cannot tell the Revenue Commissioner to forget you exist, but you can contact your bank and they must edit your information if it is found to be out of date or non-relevant. From May 25th if an individual contacts your company requesting to see the data you have on them you must respond with 30 days of initial contact.
Brian went on to add that the repercussions of a data breach are not just from the regulator but can come from individuals themselves. Brian said, “Data protection is not just a company issue but a personal issue”. Under GDPR users can sue organisations over a data breach based on the “stress and concern” the breach has caused them. Users will also have the legal right to sue the individual from within the company who caused the breach in the first place. It will then be up to the organisation or individual, depending on the case, to prove the GDPR regulations were in place and upheld to the best of their ability.
This lead into what organisations can do prepare for this situation. The key is to put systems and procedures in place to show you’re demonstrating compliance with GDPR. The most common reason for a data breach is not a sophisticated hack, but human error from an individual within your organisation or supply chain. One of the most important steps your organisation can take in its journey to GDPR is training. Awareness of possible threats and pre-empting them are key. Training everyone in your organisation from the top down can make the difference in preventing a breach.
Our guest speaker for the Cork event was Sean Griffin from Poppulo (formerly Newsweaver). Sean highlighted the overlap in GDPR and ISO 27001, and how many of the measures in place make Poppulo more prepared for GDPR. Sean said, “documentation is key” for successful implementation of ISO 27001. It took Sean and his team 9 months to get ready for certification as they also had to their “day jobs”.
Sean discussed Poppulo’s journey to ISO 27001 certification. Sean told the delegates how the standard is not only helping them in their journey to GDPR compliance but also explains how the information security standard has helped Poppulo grow from a team of 60 to 150 in the last three years.
Growth with ISO 27001
Sean focused on the aspect of continuous improvement which is a huge part of ISO 27001. He explained that it allowed them to review every aspect of how they manage their data and to continuously improve systems and increase the scope of the system within Poppulo. Sean also explains how the management system helps them protect their brand by managing potential risks before they cause an issue. This has been a key factor in their growth over the last three years. In the last three years, they increased from a team of 60 to 150 in 36 months.
Sean explained that not only do you need to review your own systems, but you must contact any organisations that you outsource to and ensure they are also protecting the data they have available to the same standards you set. Poppulo is now turning away suppliers they believe are not up to their standard of data management which could damage their brand. This awareness was only possible from the implementation journey they have taken with ISO 27001
Sean final point was about the audit process and never think the auditor is out to get you which brought us nicely to the finale of the seminar. Michael Brophy, CEO of Certification Europe. Michael’s spoke about common misconceptions about ISO 27001. Michael focused on the flexibility of ISO 27001 and how it can adapt to suit the needs of an organisation.
For many in the room, that morning it was clear the takeaway from this morning was how ISO 27001 can help them in complying to GDPR over the next 9 months. Michael stressed that organisations do not need to implement the information security standard to the entire company at once, but can start with an analysis of key data assets and then move from there.
People and Technology
Human error from a member of staff is the most common reason for a data breach. ISMS such as ISO 27001 brings people and technology in line with the aim of reducing risk and enforcing compliance. It is not an automated software that you run to keep it everything safe. Michael explained that organisations are using ISO 27001 as a method to bring in awareness to all members of staff from the top down of the dangers of a breach and also how to deal with a data breach if one occurs. GDPR is about ensuring the Data controllers are doing everything possible to not only protect user’s data but also ensure data is not being misused.
The seminar concluded with lively Q&A session with questions about GDPR, Data Protection Officer and ISO 27001. For many in the room that morning it was clear the takeaway was how ISO 27001 can help them in compliance to GDPR over the next 9 months and that protecting data from hacks is not the only threat to your brand. Training and awareness of staff are crucial to a secure system.
If you missed our first two seminars there is still time to register for our Athlone and Belfast events taking place November 9th & 16th respectively.
ATHLONE EDITION // NOVEMBER 9TH // BOOK HERE
Venue: Radisson Blu Hotel Athlone, Northgate Street, Co. Westmeath.
BELFAST EDITION // NOVEMBER 16TH // BOOK HERE
Venue: Merchant Hotel,
16 Skipper St, Belfast BT1 2DZ, UK
If you wish to learn more ISO 27001 you can join our mailing list here, or if you wish you can speak to one of our advisors about ISO 27001 and GDPR.