What is GDPR?
GDPR is the General Data Protection Regulation, also referred to as Regulation (EU) 2016/679. It has been created by the European Parliament and Council to strengthen and unify data privacy for EU individuals as well as to regulate the international transfer of their data. IT IS A LAW. IT IS NOT A STANDARD WHICH CAN BE COMPLIED WITH BY ADHERANCE TO AN ISO STANDARD IN ISOLATION.
What is the question / Statement?
“Am I fully compliant with GDPR if I am already certified to ISO 27001?”
This is a myth. As on date there is no certification approved for GDPR compliance; let alone accredited certification bodies who can provide it. There is no GDPR certifications available from anyone for anything. The ICO, in the UK, have released nothing on certification / accreditation, not even guidance and nor have the European Data Protection Board; EDPB (earlier known as the Article 29 Working Party). GDPR is compliance to EU law and as of today there is no certification which can prove to any supervisory authority that companies processing personal information of EU citizens are GDPR compliant.
Another organization styling itself as “best practice framework for a personal information management system” is aligned to the principles of the EU GDPR as per the statement on its website. It outlines the core requirements organizations need to consider when collecting, storing, processing, retaining or disposing of personal records related to individuals. It does not talk of the law. Organizations are believing that by complying to this standard they are GDPR Compliant. This is factually incorrect as the Standard itself states that it is “aligned to the principles of GDPR”.
What is required
The current situation
GDPR is being looked at by two separate sets of people, usually in isolation, by technology people who see it from the prism of Standards, controls and technology only, and by the legal fraternity who are usually looking at it through the prism of individual rights. For the business community, you need to have a fine balance between the two.
The following example gives a perspective:
There is no certification for LAW and only actionable compliance can prove that you are compliant. You can have a driving license which proves you can drive but you will be compliant to traffic law only when you drive carefully and if an accident happens your driving license will not save you from the consequences.