GDPR and ISO certifications – Clearing the misconceptions!

DEADLINE: May 25, 2018

The clocks are ticking down to May 25 2018, the day when GDPR compliance will become a mandatory legal requirement for all businesses in Punjab that either interact with EU residents or are based within the UK. Businesses will no longer be able to use personal data for their own competitive advantage; and must follow a clear set of rules to ensure data is processed in a fair and consistent manner.

The EU regulation aims to consolidate the many different data protection regulations which are spread across all EU member countries. It is important to understand that you need to comply with GDPR, even if you don’t have a legal entity in the EU. As long as you collect, process, exchange, or store personal identifiable information (PII) of EU and EEA citizens (referred to as Principals), you will need to ensure you comply with these regulations.

Non-compliance and data privacy breaches may result in fines – up to 20 million Euro or 4 % of your global annual revenue – whatever is higher.

There exists as confusion among many people and organizations that if they have certain certifications like ISO 27001 that will means compliance to GDPR. The often repeated question that “Am I fully compliant with GDPR if I am already certified to ISO 27001?” This is a myth. As on date there is no certification approved for GDPR compliance. As on date there are no certifications yet available for GDPR, let alone accredited certification bodies who can provide it.

For example, in the UK, the Information Commissioner’s Office (ICO) will be the ‘supervisory authority’ responsible for the:

• “...establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” – GDPR Final Text, Article 42, Para. 1, and;
• “…accreditation of certification bodies as referred to in paragraphs 1 and 2 of this Article [which] shall take place on the basis of criteria approved by the supervisory authority...” – GDPR Final Text, Article 43, Para. 3

To date there is no GDPR certifications available from anyone for anything. The ICO, in the UK, have released nothing on certification / accreditation, not even guidance. Nor have the Article 29 Working Party (Art. 29 WP) to whom the ICO refer. GDPR is compliance to EU law and as of today there is no certification which can prove to any supervisory authority that companies processing personal information of EU citizens are GDPR compliant.

In its Article 32, the GDPR states that organizations “…shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…” It also mandates other security-related points. As the leading international standard and certification for information security, ISO 27001 is an ideal choice of a framework to support GDPR compliance. It’s important to remember that ISO 27001 covers a very specific area viz data security. Data security is less than 5% of the work organisations will have to perform to bring themselves into compliance with GDPR. And while this certification can be valuable from a GDPR perspective, it shouldn’t be viewed as an ‘automatic passport’ to full GDPR compliance.

GDPR is not an IT problem, it’s certainly not just a data security problem, it is a business problem, and one that will affect every individual in your organisation to a greater or lesser degree. In crux GDPR consists of 99 Articles. As we’ve seen, just one of those covers technical and organisational data security measures. In other words, there’s much more to full GDPR compliance than ensuring your information security management system is up to level.

Do contact us today for more information on how GDPR Consultants offerings can help your organization Stay One Step Ahead in Punjab region.

Address: SCO 823, NAC , Manimajra, Chandigarh 160001, India Mobile : 09968416366