ISO 27001 and GDPR

The EU General Data Protection Regulation (GDPR) states that organisations must adopt appropriate policies, procedures and processes to protect the personal data they hold.

ISO 27001, the international standard for information security, provides an excellent starting point for achieving the technical and operational requirements necessary to reduce the risk of a breach. The similarities between ISO 27001’s framework and the GDPR’s requirements means that organisations who certify to the Standard are already halfway to GDPR compliance.

Does the GDPR offer guidance for avoiding a data breach?
Article 32 of the GDPR specifically requires organisations to, as appropriate:
Take measures to pseudonymise and encrypt personal data;
Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and/or
Implement a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Article 32 further requires risks “from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data” to be identified and mitigated.

An effective information security management system (ISMS) that conforms to ISO 27001 will meet all the above requirements.

Article 32 of the GDPR is the primary provision requiring technical measures to protect data. Although it gives examples of security measures and controls, the article does not provide detailed guidance regarding what you should do to achieve this.

Instead, the GDPR, compels companies to look at existing best practices and recommendations, such as ISO 27001, to minimise the risk of a data breach.