Blog Post

Come May 2018 EU GDPR is law, no getting around that. Disappointingly, GDPR does not stand for Giraffes Don't Play Risk. If you want to know more about the real GDPR give me a shout, I'm certified and more than happy to help you out (with information security, not giraffes or risk).

So what is GDPR?

If you control or process any data this will affect your business. The ICO will enforce the law and can dish out fines of up to 20,000,000 (euro) or 4% of global turnover in your last financial year. Sounds very scary but don’t worry ISM is here to help. If you have ISO27001 you are probably better off than you think.

I am reading the law and I am (pleasantly) surprised by how closely it aligns with ISO27001. Did you know the word “risk” appears over 70 times in the text? The text also talks about implementing “appropriate technical controls” and “confidentiality, integrity and availability” which underpins ISO27001.

GDPR is split into many articles that goes into alot of detail about the reasonability of processors, controllers, rights of data subjects and the introduction of a “Data Protection Officer” (Articles 37 to 39). If you have ISO27001 and implemented well this is normally the information security manager (there is no requirement to name this person in 27001 but most companies do) as long as there is no conflict of interest. If you process large amounts of personal data its worth reading these three articles.

Here are some articles that map directly to a clause or control in ISO27001:2013:

  • Article 35 centres around Data Protection Impact Assessment (DPIA). This should be covered in your risk assessment and risk treatment plan (Clause 6 of the standard).
  • Article 25 introduces “Data protection by design and default” which will affect developers, designers and coders (Clause 4 and Control A14 ISO27001)
  • Article 33 introduces the notification of personal data breach (Clause 10 and Control A16 ISO27001)
  • Article 30 Records of Processing Activities (Clause 8 and Control A8 ISO27001)


This list goes on and on! I’m not saying ISO27001 is a shield and you will never experience problems. In the same way that taking on an accountant does not guarantee never having problems with HMRC! So just because you have 27001 its still worth reading GDPR or giving me a call.

So you have a couple of different options:

  1. Sit down and read all 88 pages of EU GDPR (Regulation EU 2016/679 v4.5 if you want to be precise). Go on some training, do your risk and data impact assessments, implement controls and hope not to get fined
  2. Do nothing and hope it will be ok (Please, don’t do this!)
  3. Call ISM for a free, friendly no obligation chat about how to keep compliant

 Thanks for reading

More Blog Posts