by Jim Ashton | Nov 10, 2017
This article deals with a common misconception that having an information security certificate or a cyber security certificate somehow exempts you from having to implement the GDPR.
Purpose of this document
This document shows the UK regulator's response to the relationship between information security certificates, cyber security certificates and the GDPR.
- ICO: Information Commissioner's Office, the UK's data protection regulatory body
- ISO 27001: an information security certification
Information security certifications and the GDPR
Not for the first time today I was asked whether an information security certification (in this case ISO 27001) was the "silver bullet" for all GDPR compliance issues.
As this is a common question and I know the answer but I am not the regulator, I thought I would get confirmation from the horse's mouth, the Information Commissioner's Office (ICO), the UK's data protection regulator.
The ICO have an interactive chat line, so I asked the question:
"I have just been told that getting ISO 27001 accredited is a silver bullet for all things GDPR related. Does this mean that if an organisation is ISO 27001 accredited it does not have to bother with GDPR?"
Here's the transcript of the chat
|Hi, Please find attached a transcript of your online conversation with us. Regards, Information Commissioners Office|
|[2:12 PM] Jim has joined the room|
|[2:12 PM] ico_alexs has joined the room|
|[2:13 PM] ico_alexs:||Hi Jim, how can I help you?|
|[2:14 PM] Jim:||Hi. I have just been told that getting IS27001 accredited is a silver bullet for all things GDPR related. Does this mean that if an organisation is ISO 27001 accredited it does not have to bother with GDPR?|
|[2:14 PM] ico_alexs:||Please bear with me whilst I consider your enquiry.|
|[2:14 PM] ico_alexs has joined the room|
|[2:22 PM] ico_alexs:||Thanks for your patience, you will have to be compliant with the GDPR no matter what certifications you hold. However, you may be meeting the requirements of GDPR when you receive certain certifications. It appears the one you are referring to is one we are aware of, and raises a minimum level of security for information governance. This does not necessarily mean you are compliant with GDPR.|
|Under GDPR Article 40 allows provisions for organisations to receive accredited certifications from authorised bodies (authorised by the ICO) to show that they are GDPR compliant, however none of these certifications have been created yet.|
|[2:23 PM] ico_alexs has joined the room|
|[2:24 PM] ico_alexs:||You will need to consider that being compliant is an ongoing process, because the GDPR give individuals rights of access and erasure. So, you may need to continuously action these rights in order to stay compliant.|
The conclusion is not a surprise.
ISO 27001 and other information security certifications go some way towards GDPR compliance. However, the GDPR requires the implementation of:
"appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation."
As suspected ISO 27001 helps support the technical measure but not the organisational measures.
Put into perspective:
- A technical infraction is in the 10 Euro million range.
- An organisational infraction is in the 20 Euro million range.
Bear this in mind the next time you get told that information security certification or cyber security certification is all that is needed to become GDPR compliant.
More articles: GDPR and personal data in the USA, Privacy Shield or Model Contract? | GDPR controller to processor contract considerations | Dealing with suspected personal data breaches under the GDPR | GDPR employee monitoring | Are you respecting your employees rights to privacy? | GDPR Human Resource consideration case study covering consent and rights | GDPR scaremongering | a few GDPR myths exposed | GDPR, what is personal data for European organisations? | Information security certifications and the GDPR | Am I OK with an ISO 27000? | How to set up a representative for the GDPR in the EU | When should you appoint a Data Protection Officer?