Are you adequately covering GDPR within your ISMS?

|
|
PUBLISHED on
22 Jul
2022

Table of Contents

We have seen an increased focus on the General Data Protection Regulation (GDPR) by certification body (CB) assessors when conducting ISO 27001 audits.  In the past, assessments typically focused on whether organisations were registered with the Information Commissioner’s Office (ICO), whether they were complying with the ‘Privacy and protection of personally identifiable information’ (ISO 27001 Annex A control 18.1.4), and whether they had developed and implemented a legal and regulatory register and a data protection policy.

However, since the GDPR came into force, we have seen an expectation from CBs, understandably, for a more robust approach where:

  • The GDPR is referred to in the stated ‘risks and opportunities’ (ISO 27001 Clause 4 and 6.1.1) and whether the organisation needs to take action under Article 3 (main establishment/territorial scope)
  • The GDPR is taken into account under ‘Planning’ (ISO 27001 Clause 6)• Resources (and competencies) are assigned /made available to the data protection officer (DPO) role under ‘Support’ (ISO 27001 Clause 7)
  • A process is defined for dealing with all types of data subject requests (ISO 27001 Annex A Control 18.1.4) and the data subject access request (DSAR) process in particular

  • An information security breach process includes steps for notifying the ICO, i.e., ‘Reporting information security events’ (ISO 27001 Annex A, A.16)
  • Data transfers to non-UK and non-EEA countries are addressed within ‘Supplier relationships’ controls (ISO 27001 Annex A, A.15 controls) and contracts.  This links back to risks and opportunities (ISO 27001 Clause 6.1) in terms of the impact of the ECJ’s ruling in the Schrems II case and the use of the ICO’s International Data Transfer Agreement (IDTA) and the EU standard contractual clauses (SCCs), and whether these are sufficient, particularly to cover onward transfers within the supply chain.  The IDTA, the EU clauses and the SCCs’ Annex II commitments to security measures should also be formalised to safeguard internal, inter-group transfers
  • Security and privacy (i.e., privacy by design and default) are considered under ‘System acquisition, development and maintenance’ controls (ISO 27001 Annex A, A.14 and A.6.1.5)
  • Personal data retention periods are specified under ‘Protection of records’ (ISO 27001 Annex A, A.18.1.3).

Whilst it can be argued that all of the above measures are appropriate and part of adequate and sensible planning, it does represent a significant step change in the expectations of the CBs.

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
19/1/2024
Analysis of Fines Imposed by the Information Commissioner’s Office in 2023

URM’s blog breaks down the fines issued by the ICO in 2023 for data protection breaches, highlighting emerging trends in their approach to enforcing compliance.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
12/4/2024
Data Protection Considerations for Artificial Intelligence (AI)

URM’s blog discusses the data protection considerations for utilising AI technologies, and how organisations can stay GDPR compliant in their use of AI.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
21/7/2022
BS 10012:2017 – What are the Benefits and How Do I Achieve Certification

BS 10012 is a standard which has been developed to enable organisations to implement a personal information management system (PIMS).

Read more
We cannot thank URM enough for their help in ensuring our business is GDPR compliant. Both the gap analysis conducted and the in-depth assistance with the ROPA were made much easier and understandable with URM’s help. I would like to give particular thanks to URM's Consultant for providing us with the best guidance and making a famously complex topic comprehensive, and to our Account Manager for helping make sure all our needs were covered.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.