How security standards can guide GDPR compliance efforts

Guest post:
By Brian Honan, CEO, BH Consulting

Many organisations are still trying to understand how GDPR will affect them, and what they will need to do to comply with it. The first thing to emphasise is that the General Data Protection Regulation is not an IT issue alone. It’s true that technical controls play a part in maintaining ongoing compliance, but GDPR is also a management issue. The proof is that the word ‘risk’ appears 75 times in the text of the regulation.

Where management goes, culture follows. Guidance from the top can ensure everyone in the organisation treats personal data responsibly. In practice, most organisations collect and use personal information about their customers or suppliers. Yet few of them know what they will need to do in order to comply with GDPR. Research commissioned by the Data Protection Commissioner found that 69 percent of SMEs have heard of the regulation, but 78 percent had not identified actions to take to become compliant.

One of the first steps to becoming compliant is for organisations to document what personal data they hold, where it originated and with whom it is shared. Measuring those processes against the requirements of GDPR makes it possible to identify gaps and address them.

This is where security frameworks such as ISO 27001 can help. GDPR comprises risk-based principles, so a risk-based security standard is well suited to mirroring the regulation’s requirements. ISO 27001 is a risk-based approach for securing valuable information and applies a high standard of controls to address areas like confidentiality, continuous protection, integrity and availability of information. Organisations can align the systems, controls, and processes they use for monitoring data assets with a widely accepted independent standard that is not aligned to any one technology or provider.

GDPR requires an organisation first to understand what data it holds, and all of the places where it is stored. This exercise, or data audit, not only helps to meet compliance requirements, it also has a business benefit. It will very likely uncover unnecessary duplicates of information or records that are no longer required. By deleting those copies, businesses can reduce the overhead of having to manage them. It also reduces the chances of being compromised or breached – an outcome that would be more likely to occur if an organisation does not know where it keeps all instances of its data.

There is no such thing as a magic bullet for GDPR compliance; but a series of actions to take. Just as solid foundations are the fundamental bedrock for building a house, ISO 27001 is a robust platform to give structure and support to data protection efforts.

ISO 27001 is more than just a set of guidelines to follow. There is a certification process to validate the work. The EU Data Protection Supervisor Giovanni Buttarelli said earlier this year that certification schemes “could bring great benefits” in helping organisations to navigate the GDPR. Accountability is one of the regulation’s key principles. Becoming certified to ISO 27001 demonstrates to all external stakeholders that the phrase ‘we take your security and privacy seriously’ isn’t just an empty promise but is the lived experience of the whole organisation.

BH Consulting will be presenting at the Certification Europe ISO 27001 Roadshow seminars. The Nationwide Roadshow stops off in Athlone on (Nov 9th) Belfast on November 16th at the Merchant Hotel, where an expert panel will discuss implementing an information security management system, and demonstrating compliance to GDPR. For more details, or to register click the image below.

Certification Europe ISO 27001 Roadshow

Robert Lyons
Robert Lyons

Social
Share

Related ISO Certifications

Certification Europe small Rosette logo symbol

ISO 9001

Quality Management System

Quality Management System ISO 9001 is an internationally recognised global standard that confirms an …
Certification Europe small Rosette logo symbol

ISO 14001

Environmental Management System

ISO 14001 Environmental Management System ISO 14001 is the global standard for organisations wanting …
Certification Europe small Rosette logo symbol

ISO 45001

Occupational Health and Safety

Occupational Health and Safety ISO 45001 is an international standard that specifies requirements for …
Certification Europe small Rosette logo symbol

ISO 50001

Energy Management System

Energy Management Systems ISO 50001 is a global standard for organisations looking to improve …
Certification Europe small Rosette logo symbol

ISO 27001

Information Security Management Systems

Information Security Management Systems ISO 27001 is the international standard for managing risks related …
Certification Europe small Rosette logo symbol

ISO 22301

Business Continuity Management Systems

Business Continuity Management Systems ISO 22301 is the business continuity management system (BCMS) standard. …
Certification Europe small Rosette logo symbol

ISO 20000-1

IT Service Management Systems

IT Service Management Systems ISO 20000-1 Service Management is the international standard for quality …
Certification Europe small Rosette logo symbol

ISO 13485

Medical Devices

Medical Devices ISO 13485 is a globally recognised quality standard that identifies the requirements …
Certification Europe small Rosette logo symbol

ISO 27701

Privacy Information Management Systems

Privacy Information Management Systems ISO 27701 is the global standard for Privacy Information Management …
Certification Europe small Rosette logo symbol

BS 10012

Personal Information Management System

Personal Information Management System BS 10012 provides a framework for a Personal Information Management …
Certification Europe small Rosette logo symbol

ISO 27018

Protection of Personally Identifiable Information (PII)

Protection of Personally Identifiable Information (PII) ISO 27018 is the global standard organisations use …
Certification Europe small Rosette logo symbol

ISO 27017

Cloud Data Protection

Cloud Data Protection ISO 27017 is the global standard used by organisations to strengthen …
Previous
Next

Related Insights

How to make small business sustainability a priority

Small business sustainability is becoming a priority in the drive towards Ireland becoming net zero – here’s…

What is circular economy and what does it mean for organisations?

The circular economy is not a new phenomenon. Read our breakdown of what the circular economy is…
Previous
Next