Three standards are featured as the ISO/IEC 27001 / ISO/IEC 27018 / BS 10012 – General Data Protection Regulation Package, and adherence to their voluntary consensus guidelines can help to comply with the binding legislative requirements of the European Union’s General Data Protection Regulation (GDPR).
The General Data Protection Regulation (GDPR) was approved by the EU Parliament on April 14, 2016, and organizations have until May 25, 2018 to comply with its rules or could face heavy fines. The GDPR applies to all companies processing and holding the personal data of data subjects residing in the European Union, and it affects not only all organizations located in the EU but also those that offer goods or services to, or monitor the behavior of, EU data subjects.
The General Data Protection Regulation updates and replaces the Data Protection Directive 95/46/EC, and it was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizen data privacy, and to reshape the way organizations across the region approach data privacy.
The GDPR is substantially different from the 1995 directive it revises. One of the primary changes is obvious: the GDPR is a regulation, not a directive. This means that the GDPR is a binding legislative act, and it must be applied in its entirety across the EU, as opposed to a directive, which is alternatively a legislative act that sets a goal all EU countries must achieve. Organizations in breach of the General Data Protection Regulation can be fined up to 4% of annual global turnover or €20 Million (whichever is greater).
The GDPR also has an increased territorial scope. Simply put, the GDPR is to apply to the processing of personal data by controllers and processers in the EU, regardless of whether the processing takes place in the EU or not. Furthermore, the conditions for consent have been strengthened, as companies will no longer be able to use long illegible terms. The General Data Protection Regulation also includes the right to access, right to be forgotten (data erasure), data portability, and privacy by design.
The GDPR’s provisions make up 99 Articles within 11 Chapters, so tackling the stipulations of the regulation can seem daunting. However, this is where international voluntary consensus standards come into play. Standards, three in particular—ISO/IEC 27001, ISO/IEC 27018, and BS 10012—can help organizations adequately adhere to the General Data Protection Regulation.
These three standards are available as the ISO/IEC 27001 / ISO/IEC 27018 / BS 10012 – General Data Protection Regulation Package.
ISO/IEC 27001:2013 – Information technology – Security techniques – Information security management systems – Requirements is the international best practice standard for informational security. Comparable to other ISO management system standards, ISO/IEC 27001:2013 specifies the guidelines for establishing, implementing, and maintaining an information security management system (ISMS), in which the standard users can comprehend the organization’s context, allow for the involvement of top leadership, and strive for continual improvement.
The GDPR states in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk,” and it lays out several items as appropriate. ISO/IEC 27001:2013 meets these needs, addressing the encryption of data, confidentiality, integrity, availability, risk assessment, and business continuity.
Ultimately, the guidelines and controls set forth by ISO/IEC 27001:2013 as an organization’s best practice framework position it to identify its requirements for the GDPR. Furthermore, these guidelines not only assist in responding to contractual and regulatory requirements, but also implement appropriate controls to manage risks to the business’s information, such as personal records.
Applicable to any organization that provides information processing services as Personally Identifiable Information (PII) processors via cloud computer under contract to other organizations, ISO/IEC 27018:2014 – Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect PII.
By assuring that organizations can address security issues related to personally identifiable information stored on the public cloud, ISO/IEC 27018:2014 can help demonstrate one’s commitment to protecting personal records.
Initially published to help users comply with the 95/46/EC Directive, BS 10012 was updated in recognition of the publication of the General Data Protection Regulation. Article 42 of the GDPR encourages the “establishment of data protection certification mechanisms…. for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” BS 10012:2017+A1:2018 – Data protection. Specification for a personal information management system offers this.
Specifically, BS 10012:2017+A1:2018 enables organizations to put in place a personal information management system (PIMS). This provides the framework for maintaining and improving compliance with data protection guidelines and good practice, and, when used alongside a robust ISMS, can place an organization in a good position to demonstrate GDPR compliance.
ISO/IEC 27001 / ISO/IEC 27018 / BS 10012 – General Data Protection Regulation Package is available on the ANSI Webstore.