Some GDPR ISO 27001 FAQ
GDPR ISO 27001 FAQ. Our existing ISO 27001 customers are busy asking us about it. However,there is a forest of information on the ‘net but in our usual fashion, we’ve tried to hack through it and give an uncluttered but basic version of what you might need to know. We’ve been helping clients with cyber security through ISO 27001 approval for a number of years, and have blogged on it quite often.
What is GDPR?
General Data Protection Regulation. A new EU Regulation replacing the Data Protection Directive (DPD) and The UK Data Protection Act 1998. Approved by the EU Parliament in 2016, it concerns the protection of personal data and the rights of individuals.
But What About Brexit?
The UK is still legally part of the EU. Therefore the GDPR legislation applies. (Sorry – no Brexit Get-Out…)
What’s it Aiming to Achieve?
To help prevent privacy and data breaches.
Is GDPR Effective Now?
Not yet, but very soon. 25th May 2018. Non-compliance will result in hefty fines. This is not one of those EU directives that you can ignore.
Does GDPR apply to you?
Yes, if you process and hold the personal data of data subjects residing in the EU, including standard HR-type data. It applies even if the company is based outside the 28 EU member states. Very few organisations are exempt.
What responsibilities will companies have under this new regulation?
Permission to use personal information from customers and employees.. The consent request must be clear, affirmative, and in plain language. It also needs to be able to be easily and quickly withdrawn.
Does GDPR apply to all types of data?
GDPR applies to personal data. The current Data Protection Directive defines personal data as; “any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”
“Personal data” now includes an IP address. Genetic data and biometric data are also now included.
Broadly, how should we handle personal data?
Article 5 of the EU GDPR states that personal data must be:
- Processed lawfully, fairly and in a transparent manner
- Collected only for specified, explicit and legitimate purposes
- Adequate, relevant and limited to what is necessary
- Accurate and kept up to date
- Held only for the absolute time necessary and no longer
- Processed in a manner that ensures appropriate security of the personal data
What are the Penalties for Non-Compliance?
A fine of maximum of 4% of their annual global turnover, or €20 million, whichever is the highest. Ouch!
Improper record-keeping, or failing to notify of any breaches, could be subject to a fine of 2% of annual global turnover, or €10 million.
Do we have to appoint a Specific Data Protection Officer (DPO) ?
According to the ICO, only if they:
- are a public authority (with the exception of courts acting in their judicial capacity)
- carry out large scale systematic monitoring of individuals, such as, online behaviour tracking; or
- carry out large scale processing of special categories of data or data relating to criminal convictions and offences
However, any company must ensure that they have a resource in place to be able to comply with GDPR, even without a DPO. There are a number of alternatives, apart from a new hire.We will blog about this shortly.
What rights will individuals have under GDPR?
There are 8 fundamental rights of individuals under GDPR. They are listed here
Beyond GDPR ISO 27001 FAQ – What’s the Relationship With ISO 27001?
If your ISO 27001 certification flags personal data as an information security asset, many of the requirements may be covered.
Some GDPR requirements, are also mandated as part of ISO 27001, such as:-
- Responsibility and accountability
- Gaining consent for holding and using data
- Appointing a Data Protection Officer
- Recording and investigating data breaches.
How Can We Help?
This topic is one that warrants a meeting or at least a phone call. If any of what we’ve described has raised a doubt in your mind, please get in touch!