Nov 08 2017

How ISO 27001 can help to achieve GDPR compliance

Category: GDPR,ISO 27kDISC @ 2:44 pm

gdpr

By Julia Dutton

Organizations have until 25 May 2018 to comply with the EU General Data Protection Regulation (GDPR).

Those who have studied the Regulation will be aware that there are many references to certification schemes, seals and marks. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice.

Managing people, processes and technology

ISO 27001 is the international best practice standard for information security, and is a certifiable standard that is broad-based and encompasses the three essential aspects of a comprehensive information security regime: people, processes and technology.  By implementing measures to protect information using this three-pronged approach, the company is able to defend itself from not only technology-based risks, but other, more common threats, such as poorly informed staff or ineffective procedures.

By implementing ISO 27001, your organisation will be deploying an ISMS (information security management system): a system that is supported by top leadership, incorporated into your organisation’s culture and strategy, and which is constantly monitored, updated and reviewed.  Using a process of continual improvement, your organisation will be able to ensure that the ISMS adapts to changes – both in the environment and inside the organisation – to continually identify and reduce risks.

What does the GDPR say?

The GDPR states clearly in Article 32 that “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Let’s look at these items separately:

Encryption of data is recommended by ISO 27001 as one of the measures that can and should be taken to reduce the identified risks.  ISO 27001:2013 outlines 114 controls that can be used to reduce information security risks.  Since the controls an organisation implements are based on the outcomes of an ISO 27001-compliant risk assessment, the organisation will be able to identify which assets are at risk and require encryption to adequately protect them.

One of ISO 27001’s core tenets is the importance of ensuring the ongoing confidentiality, integrity and availability of information.  Not only is confidentiality important, but the integrity and availability of such data is critical as well. If the data is available but in a format that is not usable because of a system disruption, then the integrity of that data has been compromised; if the data is protected but inaccessible to those who need to use it as part of their jobs, then the availability of that data has been compromised.

Risk assessment

ISO 27001 mandates that organisations conduct a thorough risk assessment by identifying threats and vulnerabilities that can affect an organisation’s information assets, and to take steps to assure the confidentiality, availability and integrity (CIA) of that data. The GDPR specifically requires a risk assessment to ensure an organisation has identified risks that can impact personal data.

Business continuity

ISO 27001 addresses the importance of business continuity management, whereby it provides a set of controls that will assist the organisation to protect the availability of information in case of an incident and protect critical business processes from the effects of major disasters to ensure their timely resumption.

Testing and assessments

Lastly, organisations that opt for certification to ISO 27001 will have their ISMSs independently assessed and audited by an accredited certification body to ensure that the management system meets the requirements of the Standard. Companies need to regularly review their ISMS and conduct the necessary assessments as prescribed by the Standard in order to ensure it continues protecting the company’s information. Achieving accredited certification to ISO 27001 delivers an independent, expert assessment of whether you have implemented adequate measures to protect your data.

The requirements to achieve compliance with ISO 27001 of course do not stop there.  Being a broad standard, it covers many other elements, including the importance of staff awareness training and leadership support.  ISO 27001 has already been adopted by thousands of organisations globally, and, given the current rate and severity of data breaches, it is also one of the fastest growing management system standards today.

Related articles:

Read more about ISO 27001 and the GDPR >>>>
GDPR Documentation Toolkit and gap assessment tool >>>>
Understanding the GDPR: General Data Protection Regulation >>>>

 


Oct 18 2017

GDPR essentials and how to achieve compliance

Category: data security,GDPRDISC @ 9:51 am

gdpr

The GDPR will replace these with a pan-European regulatory framework effective from 25 May 2018.  The GDPR applies to all EU organizations – whether commercial business or public authority – that collect, store or process the personal data (PII) of EU individuals.

Organizations based outside the EU that monitor or offer goods and services to individuals in the EU will have to observe the new European rules and adhere to the same level of protection of personal data. This potentially includes organizations everywhere in the world, regardless of how difficult it may be to enforce the Regulation. Compliance consultant must know the following 9 tenants of the GDPR.

 

  • Supervisory Authority – A one-stop shop provision means that organizations will only have to deal with a single supervisory authority, not one for each of the EU’s 28 member states, making it simpler and cheaper for companies to do business in the EU.

 

  • Breach Disclosure – Organizations must disclose and document the causes of breaches, effects of breaches, and actions taken to address them.

 

  • Processor must be able to provide “sufficient guarantees to implement appropriate technical and organizational measures” to ensure that processing will comply with the GDPR and that data subjects’ rights are protected. This requirement flows down the supply chain, so a processor cannot subcontract work to a second processor without the controller’s explicit authorization. If requested by subject you must cease processing and using his or her data for some limited period of time.

 

  • Data Consent – The Regulation imposes stricter requirements on obtaining valid consent from individuals to justify the processing of their personal data. Consent must be “freely given, specific, informed and unambiguous indication of the individual’s wishes”. The organization must also keep records so it can demonstrate that consent has been given by the relevant individual. Data can only be used for the purposes that data subject originally explicitly consented. You must obtain and document consent for only one specific purpose at a time.

 

  • Right to be forgotten – Individuals have a right to require the data controller to erase all personal data held about them in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected. If requested by subject, you must erase their data on premises, in apps and on devices.

 

  • Data portability – Individuals will have the right to transfer personal data from one data controller to another where processing is based on consent or necessity for the performance of a contract, or where processing is carried out by automated means

 

  • Documentation – The Regulation requires quite a bit of documentation. In addition to the explicit and implicit requirements for specific records (especially including proof of consent from data subjects), you should also ensure that you have documented how you comply with the GDPR so that you have some evidence to support your claims if the supervisory authority has any cause to investigate.

 

  • Fines – Major noncompliance of the law will be punishable by fines of up to either 4% or €20 million of group annual worldwide turnover.

 

Data protection by design – Organization must ensure data security and data privacy across cloud and endpoints as well as design their system and processes that protects from unauthorized data access and malware.  Specifically, organizations must take appropriate technical and organizational measures before data processing begin to ensure that it meets the requirements of the Regulation. Data privacy risks must be properly assessed, and controllers may use adherence to approved codes of conduct or management system certifications, such as ISO 27001, to demonstrate their compliance.

 

How to improve information security under the GDPR

Although many businesses understand the importance of implementing the right procedures for detection, report and investigate a data breach, but not many are aware of how to go about this effectively, especially during implementation phase.

 

Seven steps that can help you prevent a data breach:

  1. Find out where your personal information resides and prioritize your data.
  2. Identify all the risks that could cause a breach of your personal data.
  3. Apply the most appropriate measures (controls) to mitigate those risks.
  4. Implement the necessary policies and procedures to support the controls.
  5. Conduct regular tests and audits to make sure the controls are working as intended.
  6. Review, report and update your plans regularly.
  7. Implement comprehensive and robust ISMS.

 

ISO 27001, the international information security standard, can help you achieve all of the above and protect all your other confidential company information, too. To achieve GDPR compliance, feel free to contact us for more detail on implementation.

Related articles on GDPR and ISO 27k

The GDPR and Personal Data…HELP! from Cloud Security Alliance

Tags: gdpr, gdpr compliance

Sep 27 2017

Data flow mapping under the EU GDPR

Category: data security,GDPR,Security ComplianceDISC @ 8:56 am

As part of an EU General Data Protection Regulation (GDPR) compliance project, organisations will need to map their data and information flows in order to assess their privacy risks. This is also an essential first step for completing a data protection impact assessment (DPIA), which is mandatory for certain types of processing.

The key elements of data mapping

To effectively map your data, you need to understand the information flow, describe it and identify its key elements.

1. Understand the information flow

An information flow is a transfer of information from one location to another, for example:

  • From inside to outside the European Union; or
  • From suppliers and sub-suppliers through to customers.

2. Describe the information flow

  • Walk through the information lifecycle to identify unforeseen or unintended uses of data. This also helps to minimise what data is collected.
  • Make sure the people who will be using the information are consulted on the practical implications.
  • Consider the potential future uses of the information collected, even if it is not immediately necessary.

3. Identify its key elements

Data items

  • What kind of data is being processed (name, email, address, etc.) and what category does it fall into (health data, criminal records, location data, etc.)?

Formats

  • In what format do you store data (hardcopy, digital, database, bring your own device, mobile phones, etc.)?

Transfer method

  • How do you collect data (post, telephone, social media) and how do you share it internally (within your organisation) and externally (with third parties)?

Location

  • What locations are involved within the data flow (offices, the Cloud, third parties, etc.)?

Accountability

  • Who is accountable for the personal data? Often this changes as the data moves throughout the organisation.

Access

  • Who has access to the data in question?

 

The key challenges of data mapping

  • Identifying personal data Personal data can reside in a number of locations and be stored in a number of formats, such as paper, electronic and audio. Your first challenge is deciding what information you need to record and in what format.
  • Identifying appropriate technical and organizational safeguards The second challenge is likely to be identifying the appropriate technology – and the policy and procedures for its use – to protect information while also determining who controls access to it.
  • Understanding legal and regulatory obligations Your final challenge is determining what your organisation’s legal and regulatory obligations are. As well as the GDPR, this can include other compliance standards, such as the Payment Card Industry Data Security Standard (PCI DSS) and ISO 27001.Once you’ve completed these three challenges, you’ll be in a position to move forward, gaining the trust and confidence of your key stakeholders.

 

Data flow mapping

To help you gather the above information and consolidate it into one area, Vigilant Software, a subsidiary of IT Governance, has developed a data flow mapping tool with a specific focus on the GDPR.

 

Order Today

 


Tags: data flow mapping, data privacy, data security, gdpr

Aug 11 2017

GDPR Documentation Toolkit and gap assessment tool

Category: GDPR,IT Governance,Security ComplianceDISC @ 10:46 am

Data Protection / EU GDPR Toolkits

 

Use this gap assessment tool to:

  • Quickly identify your GDPR compliance gaps
  • Plan and prioritize your GDPR project

EU GDPR Compliance Gap Assessment Tool

 

Accelerate your GDPR compliance implementation project with the market-leading EU GDPR Documentation Toolkit used by hundreds of organizations worldwide, now with significant improvements and new content for summer 2017:

  • A complete set of easy-to-use and customizable documentation templates, which will save you time and money, and ensure compliance with the GDPR.
  • Easy-to-use dashboards and project tools to ensure complete coverage of the GDPR.
  • Direction and guidance from expert GDPR practitioners.
  • Includes two licenses for the GDPR Staff Awareness E-learning Course.

EU General Data Protection Regulation (GDPR) Documentation Toolkit


Aug 09 2017

EU GDPR: Does my organization need to comply?

Category: GDPR,Security ComplianceDISC @ 9:36 am

By Chloe Biscoe

The General Data Protection Regulation (GDPR) is a new law that will harmonize data protection in the European Union (EU) and will be enforced from May 25, 2018. It aims to protect EU residents from data and privacy breaches, and has been introduced to keep up with the modern digital landscape.

Who needs to comply with the GDPR?

The GDPR will apply to all organizations outside of the EU that process the personal data of EU residents.

Non-compliance can result in hefty fines of up to 4% of annual global turnover or €20 million $23.5 million) – whichever is greater.

Organizations that are compliant with the new Regulation will also find that their processes and contractual relationships are more robust and reliable.

What do US organizations need to do to comply with the GDPR?

The transition period for compliance with the GDPR ends in May 2018. This means that organizations now have less than ten months to make sure they are compliant.

For US organizations, the most significant change concerns the territorial reach of the GDPR.

The GDPR will supersede the current EU Data Protection Directive. Under the current Regulation, organizations without a physical presence or employees in the EU have one main compliance issue to deal with: How to legally transfer data out of the EU. The EU–US Privacy Shield provides such a mechanism for compliance.

Almost all US organizations that collect or process EU residents’ data will need to comply fully with the requirements of the GDPR. US organizations without a physical EU presence must also appoint a GDPR representative based in a Member State.

Save 10% on your essential guide to the GDPR and the EU–US Privacy Shield

EU GDPR & EU-US Privacy Shield – A Pocket GuideAugust’s book of the month is the ideal resource for anyone wanting a clear primer on the principles of data protection and their new obligations under the GDPR and the EU–US Privacy Shield.

Alan Calder’s EU GDPR & EU-US Privacy Shield – A Pocket Guide explains in simple terms:

  • The terms and definitions used within the GDPR and the EU-US Privacy Shield
  • The key requirements
  • How to comply with the Regulation

 

Data Protection / EU GDPR Toolkits

 

« Previous Page