Come May 2018 EU GDPR is law, no getting around that. Disappointingly, GDPR does not stand for Giraffes Don't Play Risk. If you want to know more about the real GDPR give me a shout, I'm certified and more than happy to help you out (with information security, not giraffes or risk).
So what is GDPR?
If you control or process any data this will affect your business. The ICO will enforce the law and can dish out fines of up to 20,000,000 (euro) or 4% of global turnover in your last financial year. Sounds very scary but don’t worry ISM is here to help. If you have ISO27001 you are probably better off than you think.
I am reading the law and I am (pleasantly) surprised by how closely it aligns with ISO27001. Did you know the word “risk” appears over 70 times in the text? The text also talks about implementing “appropriate technical controls” and “confidentiality, integrity and availability” which underpins ISO27001.
GDPR is split into many articles that goes into alot of detail about the reasonability of processors, controllers, rights of data subjects and the introduction of a “Data Protection Officer” (Articles 37 to 39). If you have ISO27001 and implemented well this is normally the information security manager (there is no requirement to name this person in 27001 but most companies do) as long as there is no conflict of interest. If you process large amounts of personal data its worth reading these three articles.
Here are some articles that map directly to a clause or control in ISO27001:2013:
This list goes on and on! I’m not saying ISO27001 is a shield and you will never experience problems. In the same way that taking on an accountant does not guarantee never having problems with HMRC! So just because you have 27001 its still worth reading GDPR or giving me a call.
So you have a couple of different options:
Thanks for reading