Step 9 – ISO27001: A Data Privacy Odyssey: How to Demonstrate Technical and Security Measures Under the GDPR
Under current privacy laws, only one of the privacy principles applies directly to a data processor, and that is to ensure that adequate security and technical measures are in place. The GDPR mirrors this obligation on data processors, but what exactly does it mean to have these measures in place?
There has been little guidance in the past, and in turn contract negotiations in this area between data processors and controllers have become a delicate balancing act as their respective information security teams work together to establish whether the measures put in place by the data processor meet requirements.
So the question is, does the GDPR help to define what these technical and security measures are?
Why is data security so important?
Before we get to that question, consider the role that data security plays in controller and processor organisations alike. We live in a world where data has become a type of currency, and with increasing regulatory we read articles in newspapers of data security breaches. Technology has advanced significantly since privacy laws first came into force in the late 1990s, and the methods and means of transgressing data become ever more sophisticated.
To combat this, data security should be at the very heart of every business, both small and large, and is a fundamental means of protecting your digital data from threats such as cyber-attacks, data breaches, and even unexpected deletion by users, both authorised and unauthorised.
The GDPR encourages organisations to implement safeguards with the concept of ‘Privacy by default and by design’ as a driver: these measures can no longer be what some may view as a tick box, but rather now must be a fundamental component in the operation of any organisation.
Technical and security measures under the GDPR
As we noted above, whilst current legislation talks of technical and security measures but does not really define them, this all changes under the GDPR.
The GDPR states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold, and Article 32 of the GDPR specifically requires organisations to, as appropriate:
- Take measures to pseudonymise and encrypt personal data;
- Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and/or
- Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
We also now know that certain security standards will meet these requirements:
ISO 27001 – does this certification demonstrate compliance with Article 32?
In short, yes, the ISO 27001 standard will meet the requirements laid out within Article 32 of the GDPR.
In referring to HireRight EMEA’s own ISO 27001 certification, HireRight’s Information Security Manager for EMEA/APAC, Jason Bryant, describes the standard as follows: “The International Organization for Standardization (ISO) is an international standard-setting body composed of representatives from various national standards organizations. Founded on 23 February 1947, the organization promotes worldwide proprietary, industrial and commercial standards. ISO 27001 is the international standard which is recognised globally for managing risks to the security of information you hold. ISO 27001:2013 (the current version of ISO 27001) provides a set of standardised requirements for an Information Security Management System (ISMS). It has a supporting document called the ISO27002 that contains the Annex A of controls, numbered 5 – 18. There are 14 section contain 144 controls.”
Why does HireRight consider the ISO 27001 certification important?
The ISO 27001 certification is an independent accreditation that an organisation’s (such as HireRight’s) information security and management systems (ISMS) have been tested and audited in accordance with internationally accepted standards for good information security practice, and that any entity seeking to appoint a third party data processor can factor into its assessment that the GDPR requirements are met.
Further, the ISO 27001 certification provides guidance for implementing appropriate measures to mitigate ISMS risks, with recommended technical measures in line with the requirements of the GDPR. It delivers a set of appropriate technical controls, policies and procedures, and processes for monitoring and continual improvement. Importantly ISO 27001 promotes a culture and awareness of information security that makes sure data security is entrenched across the business.
We will finish this blog post with another quote from Jason, as he assesses HireRight’s information security program:
“When a data controller looks to appoint a third party data processor, it should be looking at organisations that align to a robust ISMS and have a solid policy framework in place. They should look to see if the data processor has stakeholder buy-in, and that policies are communicated at all levels via appropriate training. HireRight’s commitment to information security and to obtaining and maintaining its ISO 27001 certification, demonstrates this and gives HireRight clients (current and prospective) further assurances that their data is being processed properly with confidentiality, integrity, availability, and resistance in accordance with Article 32 .”