Most GDPR articles outline the methods you must employ to ensure compliance while collecting personal data from EU citizens. The security requirements for protecting and processing personal data are outlined in the latter part of the GDPR, whereas the major focus of ISO 27001 is on securing personally identifiable information (PII) and performing continuous audits to ensure the safety of PII.
In a nutshell, the GDPR mostly deals with personal data collection, while ISO 27001 helps ensure that this collection of confidential data is secure. Therefore, if you adopt ISO 27001, you will only be partially compliant with the GDPR.
If your enterprise has already adopted ISO 27001 standards, you need to do the following to become fully compliant with the GDPR:
- Revisit consent documents and agreements to ensure that they:
- Include the purpose for which the personal data is collected.
- State all the purposes for which the personal data will be used.
- Obtain explicit consent from the data subject.
- Ensure that your data handling policy is aligned with the rights of data subjects.
- Identify and monitor personal data that is required by the GDPR but not ISO 27001, such as IP addresses, cookies, and radio frequency identifiers (RFIDs).
Further, ISO 27001 includes controls for preventing data breaches. As we know, breaches do happen, and Article 33 of the GDPR elaborates on the post-breach actions you need to take. The information security management system (ISMS) defined by ISO 27001 will help detect data breaches to a certain extent, whereas the GDPR requires organizations to detect and report data breaches within 72 hours.
Already ISO 27001-compliant? Here’s what you need to do to achieve GDPR compliance.
- Deploy solutions that detect threats and breaches in real time.
- Perform post-breach activities. Have proper mechanisms to:
- Restore the availability and integrity of personal data using backed up data.
- Conduct thorough forensic analysis on the breach and assess its impact, including the systems, services, and personal data that were affected.
- Learn everything about the data breach—who did what, where the data breach occurred, and whether it was an internal or external attack.
- Take the steps necessary to avoid similar attacks in the future.
Want to learn more about how to comply with the GDPR? Check out our exclusive GDPR zone.