The name Doorstep Dispensaree became ingrained in the memory of every UK data protection aficionado in December 2019 when the The United Kingdom’s independent ‘supervisory authority’ for ensuring compliance with the UK GDPR, Data Protection Act 2018, the Privacy and Electronic Communications Regulations etc.... slapped the London-based pharmacy with the first UK fine under the GDPR. The £275,000 penalty was for “failing to ensure the security of Personal data which requires more protection because it is sensitive in nature. GDPR defines special category data as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, and data concerning health, a person's sex life, or sexual orientation....”, which included leaving sensitive data outside the back of an office in a cardboard box – no, really.
In 2020 hefty fines followed. An eye-watering £20 million fine brought turbulence to British Airways for processing swathes of Information which relates to an identified or identifiable natural person.... without “adequate security measures”, Marriot International was given an inhospitable £18.4 million fine for failing to keep millions of customer records secure, and Ticketmaster was ticked off with a £1.25 million fine, having “failed to put Appropriate technical and organisational measures ensuring a level of security appropriate to the risks faced.... measures in place to prevent a cyber-attack on a chat-bot”.
At the time of writing, these are the only fines that have been issued by the ICO since the GDPR’s inception and they can all be intrinsically linked by one word – security.
It is little wonder then, that security certifications, particularly ISO 27001, have seen a sharp uptake in recent years.
ISO 27001 is the international standard for information security and outlines a best-practice approach for organisations to establish an Information Security Management System (ISMS) to manage their people, processes and technology.
Now whilst this all sounds very good, it has led to speculation that merely having the certification makes an organisation GDPR compliant. Spoiler alert: it doesn’t.
However, there are still clear benefits to certification. Therefore, for organisations considering certification to ISO 27001, it is worth looking at the similarities and differences between it and the GDPR, to better understand how it can assist your organisation towards compliance.
- Security of Processing
When it comes to similarities, the obvious place to start is Article 32 GDPR – Security of Processing. Article 32 requires organisations to implement, operate and maintain appropriate technical and organisational security measures to protect personal information. However, other than citing some controls, such as encryption and data access, the article does not provide detailed guidance on how one achieves proportionate security measures.
Fortunately, ISO 27001 can fill in the gaps, requiring organisations to demonstrate compliance with up to 114 security controls across 14 categories. It covers measures far beyond those mentioned in the GDPR, such as HR security, communications security, asset management and physical security; implementation of which would enable any organisation to pass the Article 32 test with flying colours.
- Risk Assessments
Another requirement of the GDPR, which can strike fear and anxiety into even those well versed in data protection, is the need to conduct risk assessments.
The GDPR is a risk-based piece of legislation and dutifully informs us that we must do risk assessments to be able to choose proportionate security measures (Article 32), to assess the severity of data breaches (Articles 33 and 34), and to determine next steps for new projects (Article 35 – Data Protection Impact Assessments). What the legislation does not tell us, however, is how to assess risk.
On the other hand, ISO 27001 requires an organisation to establish a risk assessment framework and then to systematically address information risks and controls throughout the organisation, this includes, but also goes beyond, privacy and compliance aspects. So, those with ISO 27001 certification should, in theory, be better positioned to assess the likelihood of a risk occurring and the impact should it occur, without the common fear of overestimating, or worse, underestimating a risk.
- Data Sharing
Another link between the GDPR and ISO 27001 concerns data sharing. While the GDPR requires organisations to protect the information it shares with data processors, joint controllers, and controllers in common (although the latter is not specifically specified within the legislation itself), ISO 27001 requires organisations to protect their assets that are accessible by suppliers – including factoring information security into supplier agreements.
In addition to the three points discussed above, there are a host of other areas both have in common, including the reporting of data breaches/security incidents; the GDPR’s Privacy By Design requirement and the A.14 of ISO 27001; and the fact that ISO 27001 requires organisations to have a list of relevant legislation and regulatory requirements – of which the GDPR is clearly one. Crucially, however, there are key differences between the two ‘standards’, for want of a better word, that must be acknowledged.
When considering the differences between the GDPR and ISO 27001, they can largely be distilled down to this: the GDPR is about more than just security, whereas ISO 27001 starts and ends with just that. With five other principles to consider alongside the “The sixth GDPR principle, also know as the security principle. This requires organisations to implement the appropriate security measures to protect personal data....” (Security) principle, and 98 other Articles besides Article 32, the GDPR is far wider in scope, covering areas in detail that ISO 27001 may only touch on or, in some cases, miss completely.
An individual who can be identified or is identifiable from data.... rights are one of the core areas of GDPR compliance . However, ask the Head of Security for an ISO 27001 certified organisation about them and you may receive a blank look. Furthermore, when we consider transfers of information, whilst these are covered to a certain extent, the specific details around international transfers are not. Add in Brexit uncertainties and this area of processing can be a minefield. An unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed.... and other lawful bases for processing are also not covered directly, and while there is an argument that these can be mapped against elements of ISO 27001, it requires a certain amount of artistic interpretation of the standard, and the focus on information security is largely considered too narrow.
Finally, perhaps the most significant distinction, is that ISO 27001 is voluntary, while GDPR is, very much, not.
It is hoped that this comparison makes clear that whilst the GDPR and ISO 27001 do overlap in some ways, overall they really are not that similar at all. So, unfortunately, any rumours that ISO 27001 certification is a silver bullet for GDPR compliance are entirely unfounded.
That is not to say, however, that ISO 27001 will not aid an organisation’s GDPR compliance. It provides an excellent starting point for achieving robust “technical and organisational measures” – terminology littered throughout the GDPR. What is more, the GDPR directs companies to look at existing best practices and recommendations, such as ISO 27001, to minimise the risk of data breaches. Perhaps most importantly, certification demonstrates that famed pseudo seventh GDPR principle – Perhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance..... It promotes a culture of awareness surrounding information security and requires organisations to keep A LOT of documentation, which auditors and regulators alike, are always keen to see.
In addition, whilst ISO 27001 lacks the scope to deal with a lot of areas that the GDPR does, the International Organisation for Standardisation developed ISO 27701 to address these gaps. ISO 27701 is a “privacy extension” to ISO 27001 and specifies the requirements for a Privacy Information Management System (PIMS).
There is no question then, that an organisation with ISO 27001, or both ISO 27001/27701 certification, certainly has a distinct advantage when complying with the GDPR. The drawback is that many ISO 27001/27701 implementation projects take time, money, blood, sweat and tears. As with many aspects of GDPR compliance, it is ultimately a decision as to whether the sometimes arduous A series of actions or steps taken in order to achieve a particular end.... of getting the certification can be justified by the long-term benefits, based on the context and data processed by the organisation.
There is also the added consideration that the GDPR prescribes how personal data should be managed and protected on an ongoing basis. An ISO 27001/ISO 27701 audit is a “moment in time assessment”. And so a company can be certified and pass an audit one day, and then suffer a catastrophic data breach the next. A member of staff leaving data outside in a cardboard box, for example.