GDPR and ISO 27001

The General Data Protection Regulation is a regulation in EU law on data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA).

The International Standards Organisation (ISO) 27001  is an information security standard, part of the ISO/IEC 27000 family of standards. It specifies a management system that is intended to bring information security under management control and gives specific requirements.

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation took effect after a two-year transition period and, unlike a Directive, did not require any legislation to be passed by government. GDPR came into force on 25th May 2018.

ISO 27001 was a standard originally published by the BSI Group in 1995. Since then, it evolved into an ISO standard. The current version is released in 2017.

The GDPR not only applies to organisations located within the EU but also applies to organisations located outside of the EU if they offer goods or services to, or monitor the behaviour of, EU data subjects. It applies to all companies processing and holding the personal data of data subjects residing in the European Union, regardless of the company’s location.

ISO 27001 certification can be used to prove the existence and application of an Information Security Management Systems. This covers part of the GDPR requirements, specifically those that are related to information security.

GDPR is more than ISO 27001. Not all requirements are covered in ISO 27001, such as the data-subject rights, the appointment of a Data Protection Officer (DPO) etc.

Many organizations have published guidelines on how to implement GDPR, such as the IAPP GDPR Checklist. For guidance on implementation of ISO 27001, see ITGovernance Nine-step approach.