**Search ALL of Elsmar.com** with DuckDuckGo including content not in the forum - Search results with No ads.

ISO CERTIFICATION IN NIGERIA -

Environmental Management OPEN

Forums  What's new  Media  Resources  Attachment List  Log in  Register  Search

New posts Search forums

Forums  National and International Business System Standa…  IEC 27001 - Information Security Management… 

GDPR (General Data Protection Regulation) - My company is ISMS certified

 smohanarangan ·  Feb 28, 2018

Feb 28, 2018 #1

S My company is ISMS certified, do this means it is complying all required regulations?

smohanarangan
Starting to get
Involved

Design Control Process

Practical Implementation

OPEN

Feb 28, 2018 #2

D The short answer is no. While there will be some overlap between the two regimes from a policy perspective the GDPR has a number of areas
that are not covered by 27001

dsheaffe
Involved In
 Marc
Discussions

Mar 5, 2018 #3

S Thanks for the info, could you specify the areas of overlap?

smohanarangan
Starting to get
Involved

Mar 6, 2018 #4

I From my perspective the overlap is in three areas:

GDPR requires privacy by design - ISO27001 would require PDCA / PDSA of your processes in relation to processing and managing
Ian_Morris information (the confidentiality and integrity parts in particular).
Involved In
Discussions GDPR requires that you protect the information from release or destruction, either accidentally or intentionally - this is the same as for
ISO27001.

ISO27001 requires that you identify and meet all legal and regulatory requirements - as GDPR is central to data processing, it is required that
 as an ISO27001 certified firm that you have determined what your obligations will be under the legislation and put in place appropriate
controls to mitigate the risks identified.

ISO27001 requires that you have a process and policy for controlling records. Most organisations would not necessarily think of their HR
records, financial records, health records, marketing information and promotional information, as being part of this process as they will focus
on records relating to the delivery of the product or service. GDPR requires that you provide information to any person, including employees,
what personal information you hold on them, what you will use it for and how long you will keep that information.

There are some very significant areas where simply having ISO27001 will not help including:

Are you a data controller or data processor (or both)?

Do you have to have a data protection officer?
Will you have to carry out a Privacy Impact Assessment (PIA)
What sort of personal data do you process?
Do you have appropriate registration with Information Commissioners Office (if you are in the UK)?
Have you mapped out all of the processes where personal data is processed?
What is the basis for holding and processing personal data, e.g. informed consent or legitimate / lawful purpose

Subject access requests - all individuals will have a right to be supplied with details of data that you hold on them, in any format, within a
specific period of time (1 month). You are required to

Breach policy - You will need to have an effective policy and procedure in place to identify and manage breaches. There is a statutory
responsibility to report any breaches to anyone affected by a breach within 72 hours of the breach occurring.

Location of information - this one may be specific to the EU, but if you are processing personal data for EU citizens there are rules about
where and how you are allowed to store data that must be complied with.

Contracts - employment, client and supplier contracts will need to be reviewed and updated to reflect the new requirements.

Consent and right to be forgotten - You will need the ability to delete all records of an individual if they ask you to this and it is allowable /
appropriate to do so (this element only refers to consent circumstances and not to lawful / legitimate processing)

Data portability - Can you port information to another organisation where the user asks you to do this (this one will relate more to utility and
B2C companies where the data processing is the primary activity).

There are other areas that are relevant as well that will need to be addressed and I am not suggesting for a second that all elements will
apply to all organisations, but it hopefully gives you a flavour of where the differences lie.

I would suggest doing some research to ensure that you are compliant, as the penalties are potentially onerous financially and some carry
criminal sanctions as well as civil ones.

Happy hunting

Ian

 smohanarangan, QAengineer13 and John Broomfield

You must log in or register to reply here.

Share:       
Thread
Similar threads Forum Replies Date
starter

How medical device manufacturers are implementing standards like Other ISO and International Standards and European Sep 22,
C GDPR and HIPAA Regulations
5
2019

GDPR - General Data Protection Regulation - Only applicable to EU Other ISO and International Standards and European Feb 26,
6
data? Regulations 2019

GDPR scope - "Personal data" definition - General Data Protection Mar 14,
L Regulation
EU Medical Device Regulations 5
2018

EU GDPR General Data Protection Regulation - What we need to Dec 13,

W update for our QMS
EU Medical Device Regulations 10
2017

Other ISO and International Standards and European Aug 25,

T GDPR - General Data Protection Regulation (EU and UK 2018)
Regulations
7
2017

Forums  National and International Business System Standa…  IEC 27001 - Information Security Management… 
 Day (Light) Style Contact us Terms and rules Privacy policy Help 
 Width: Full 900px - 1200px · Queries: 26 · Time: 0.4364s · Memory: 10.48MB · 

Ad procenius.com elsmar.com Ad oiltrain.org elsmar.com

Ad celab.com elsmar.com elsmar.com elsmar.com