May 2018 is creeping steadily closer, and if your organisation is based in the EU – or if you’re not an EU business but you operate within it – you’ll need to comply with the EU GDPR.
May 2018 is creeping steadily closer, and if your organisation is based in the EU – or if you’re not an EU business but you operate within it – you’ll need to comply with the EU GDPR. This is a regulation that replaces the old interpret-it-any-way-you-like 1995 Data Protection Directive (DPD), bringing in a whole new set of rules that broadens and deepens protection of personal data.
The key question to ask yourself is:
“Does my organisation use or store EU citizens’ personal data?”
If so, you must be compliant and it doesn’t matter whether your organisation is based inside or outside the EU. It’s more than likely you’ll need to comply if your organisation:
If you’re currently Information Security Management Systems (ISO 27001) compliant, or working towards it, then you can relax a little as the standard does comply with EU GDPR to a large extent. But there’s still work to do.
What ISO 27001 covers
The ISO 27001 standard and its family of standards is the main framework for information protection, and it addresses a range of EU GDPR requirements. Some key areas that tie in with EU GDPR requirements include:
However, ISO 27001 doesn’t cover some of the new responsibilities. The EU GDPR introduces concepts that mean you’ll need to adopt new processes and procedures.
What ISO 2700 doesn’t cover
1. The right to disappear
You’ll have heard of the “right to disappear” or the “right to be forgotten”. The EU GDPR gives people the right to request that their private data be deleted or removed when there’s no compelling reason for keeping it. And, of course, you may have a compelling reason to store their data but your reason might not be good enough for the EU GDPR.
2. The right to be informed
This extends your 1995 DPD compliance through increased transparency over how you use personal data. You’ll need to make sure that you inform individuals on what you do with their data, which you may already do through a privacy notice, but you must be even more transparent and accessible.
3. Data portability
The EU GDPR gives people a right to obtain and re-use their personal data. Your obligation is to make sure that you supply their data to them in a structured, commonly-used and secure form. You’ll need to provide it free and within a month.
The ISO 27001 framework broadly complies with much of the EU GDPR so in itself it’s an excellent framework for compliance. Your next step should be to carry out an EU GDPR gap analysis to assess how far your organisation is already compliant and what you’ll need to do to become fully compliant.
Wale Omolere is an experienced Cyber Security instructor and practitioner with over 18 years’ experience working in Consulting, Oil & Gas, Telecommunication, Automobile, Asset & Wealth Management. He has a background in computer science, coupled with direct experience in all types of computing and networking platforms. He provides Cyber security advisory services to business, as well as hands-on management of IT systems, projects, and operations. He has led the deployment of various cyber security technologies, developing processes for managing and monitoring security incidents.