The General Data Protection Regulation (GDPR) in the Context of ISO 27001

information Security, ISO Standards

The General Data Protection Regulation (GDPR) was approved by the European Parliament on 14 April 2016 and replaced European Directive 95/46/EC. The Data Protection Act 2018 (SI No. 7 of 2018) was signed into law on 24 May 2018, to coincide with the coming into effect of Regulation (EU) 2016/679 (GDPR). The Act implements derogations permitted under the GDPR and represents a major overhaul of the regulatory and enforcement framework.

 General Data Protection Regulation

The General Data Protection Regulation introduces new data protection requirements. For example, it requires businesses to:
  • implement strict technical and organisational security measures, including pseudonymisation and data encryption;
  • notify data breaches to the relevant data protection authority within 72 hours. In certain circumstances the breach will also have to be notified to the affected data subjects;
  • appoint a data protection officer in certain circumstances (e.g. for companies processing sensitive data on a large scale or for those that collect consumer information);
  • conduct privacy impact assessments before carrying out high-risk data processing;
  • build in privacy by design when processing personal data.

Companies now need to adopt a holistic approach to data governance.

Under the General Data Protection Regulation companies are responsible for the data they collect, including if they transfer this to third parties to be processed. Companies need to ask themselves the five ‘W’s of data:
  • Whose data is it?
  • Why are we processing it?
  • Where is it kept or transferred?
  • When are we keeping it until?
  • What safeguarding mechanisms do we have in place?

Sometimes it’s necessary to keep data for long period of times – for legal or auditing purposes or for medical records – and in those cases you must implement the appropriate retention policy that specifies the ‘shelf-life’ of the data.

One way of managing the security of data is by implementing and being certified to ISO 27001:2013, the information security management system standard. ISO 27001 facilitates the implementation of a robust and systematic approach to managing information, thereby protecting the organisation’s reputation.

The standard helps businesses to become more resilient and responsive to threats to information security. It helps keep the company secure so it can focus on doing “business as usual” whilst clearly showing clients and suppliers its commitment to protecting information.

ISO 27001 cans assist companies with the requirements of GDPR by:
  • Safeguarding the accuracy and completeness of assets;
  • Ensuring that information is not made available or disclosed to unauthorised individuals, entities or processes;
  • Being accessible and usable upon demand by an authorised entity

However, ISO 27001 has a broader scope than GDPR while the latter also covers several areas that ISO 27001 doesn’t, such as the right to be forgotten, data portability and the right to be informed about one’s personal data.

Tags
GDPR , General Data Protection Regulation , ISO 27001
Related Posts
The General Data Protection Regulation (GDPR) & Irish Law The New General Data Protection Regulation – What It Means for Your Business Information Security and Importance of ISO 27001 ISO Survey Results 2015 What can we learn from the Ashley Madison Information breach? Italy makes top 3 for massive growth in ISO Standards Infographic: Surge in Growth of ISO Certificates in France and Germany Infographic: Comparing UK and Irish ISO Uptake UK Growth in the Uptake of ISO Standards – ISO Survey Irish Growth in the Uptake of ISO Standards – ISO Survey
Request a Demo  
Request a Demo

See Pegasus in action

The best way to understand what Pegasus can do for you, is to see it in action. Request a demo and one of our consultants will set-up a quick online tailored demo to run through the relevant aspects of the service.
  • This form collects your details above so we can contact you back in relation to your enquiry. Please see our privacy policy for more information.