EU GDPR, ISO27001 & Compliance in Offshore Jurisdictions
Recently, I was asked “If ISO 27001 is implemented by companies in Mauritius, will they comply with the European General Data Protection Regulation (EU GDPR) requirements currently being introduced across Europe ahead of the May 2018 deadline?”
The EU GDPR impacts every entity that holds or uses European personal data both inside and outside of Europe. While Europe has long been highly concerned with privacy, in many other parts of the world, concerns are low and oversight is lax. Mauritian businesses targeting European customers need to get their act together and start preparing for the new regime.
The new regulation introduces a set of rules that require organisations to implement controls to protect personal data. For example:
Noncompliance: Administrative fines up to EUR20 million, or up to 4 percent of total worldwide annual sales volume/revenue for the preceding financial year, whichever is higher.
Notification: A personal data breach leading to the unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data must be reported within 72 hours.
Data protection accountability: Companies must demonstrate that considerable security measures are in place to protect users’ private data.
Data subject’s right to access, rectification, erasure and portability: Organisations need to validate the individual’s identity, swiftly produce personal data it processes, and correct, erase or transfer data on request.
In layman terms, compliance with the GDPR is enforced with the threats of ceasing to do business with non-compliant organisations, a substantial impact on the bottom line, and a substantial demand on security and I.T. operations.
The EU GDPR mandates numerous privacy arrangements and controls designed to protect personal data, many of which are also recommended by ISO27k standards. Organisations that currently have an ISO27k ISMS (Information Security Management System) are therefore likely to have certain GDPR requirements in place.
Some EU GDPR requirements are not directly covered in ISO 27001, such as the right to be informed, the right to have data deleted, and data portability. However, if the implementation of ISO 27001 identifies personal data as an information security asset, several of the EU GDPR requirements are covered.
The GDPR is a legislation about data protection. It is not a legislation about cyber security. However, cyber security technology is required in order to be compliant, and can help to achieve compliance, and this is how:
Governance and accountability of policies
Implementation of policies, record keeping and reporting
Management of identities and authentication
Data and infrastructure security (e.g. encryption, data loss prevention)
Data breach notification and Incident response
Cloud security and cloud management
From a compliance perspective, implementation of ISO 27001 promotes a culture and awareness about security in organisations. Information security is not only about technology; it’s also about people and processes. ISO 27001 can assist with:
Management of information security incidents
Classification of information (personal data)
Identification of applicable legislation and contractual requirements
Privacy by design (System acquisitions, development and maintenance) ensures that information security is an integral part of information systems across the entire lifecycle.
In a nutshell, the ISO 27001 standard is an excellent framework for compliance with the EU GDPR. Organisations should conduct an EU GDPR Gap Analysis to determine what remains to be done to meet their EU GDPR requirements.