Published: 3 Sep 2019

Ray Woodford, UK product manager at SGS, explains what happened at the company's recent event at King’s College, London, on the importance of ISO/IEC 27001 Information Security Management and BS 10012 Personal Information Management in relation to GDPR compliance.

When the General Data Protection Regulation (GDPR) came into effect in Europe in 2018, it marked a step change in the way that citizens can take control of their personal data and how it is handled by others. GDPR requires that any organisation that operates in the European Union (EU), or handles the personal data of people that reside in the EU, implements a strong data protection policy that encompasses access, secure storage and data destruction. 

Ray Woodford, UK product manager at SGS, explained to event delegates how certification to ISO/IEC 27001 Information Security Management and BS 10012 Personal Information Management can ensure that data is protected, accessible and stored securely.

Protecting information

GDPR compliance is required if any information meets the criteria of being personally identifiable and relevant. Ignorance of this requirement is not a valid excuse for non-compliance, and the penalties are severe – up to €20m or four per cent of turnover, whichever is greater.

By March 2019, a year after the launch of GDPR, European data protection agencies had already issued fines totalling €56m for GDPR breaches. In the first nine months, there were 206,326 cases reported from authorities in the 31 countries in the European Economic Area, according to the European Data Protection Board (EDPB). 

In the UK, for example, a telecommunications company was fined £77,000 by the Information Commissioner’s Office (ICO) after it sent nearly five million nuisance emails to customers, a regional police force was fined for revealing identities of abuse victims in a bulk email, and a healthcare organisation was fined £35,000 after it left highly sensitive medical information in an empty building.

Implementing security measures

Organisations now have a clear incentive to implement appropriate technical and organisational measures to ensure a level of security appropriate to any risk. This includes protection from cybercriminals attempting to gain access to sensitive information, as well as from data loss due to power outages, vandalism, terrorism, fire, natural disasters and other external events. 

GDPR is one of the key reasons for the surge of interest in ISO/IEC 27001, the international standard for information security management systems (ISMS), and BS 10012, which provides a framework for a personal information management system (PIMS). 

BS 10012 was revised in 2017 specifically to address requirements of GDPR and now defines personal and sensitive data, the responsibilities for data privacy officers and outlines consent for processing and breach notification requirements.

As well as addressing data privacy controls, BS 10012 can also be used to improve employee awareness, and clearly explain data retention and disposal processes, while ISO/IEC 27001 outlines required information security controls. 

Implemented together, they can help organisations meet many of the requirements of GDPR and are increasingly recognised as best practice for demonstrating progress towards compliance.

In addition to ensuring that security risks, threats and vulnerabilities are identified, prioritised and cost effectively managed, ISO/IEC 27001 and BS 10012 certifications demonstrate to customers, third parties and internal stakeholders that their data is protected, accessible and stored securely.

They also help reduce the risk of reputational damage from the loss of personal information, protect intellectual property, and reduce the cost of downtime from data privacy breaches, while offering a competitive advantage that can help maintain and win new business.

The certification process

Through working with an established and experienced certification body, the ISO/IEC 27001 and BS 10012 certification processes offer organisations in all vertical sectors a thorough evaluation of their current processes, and a clear strategic direction. 

In some cases, a pre-assessment process can be undertaken to ascertain an organisation’s readiness to move towards certification, which is followed by a desk study that analyses any existing information security procedures. A risk assessment and statement of applicability measures compliance with the standards and working documentation for an on-site assessment is then prepared. 

Any identified areas of non-compliance at this stage are notified to the client and once these have been addressed an on-site certification audit verifies the implementation of an ISMS and/or PIMS. Once completed to the auditor’s satisfaction, the client is notified of formal compliance and a certificate issued.  

That isn’t the end of the story. Continual improvement is important. This means that ISMS and PIMS have to be regularly assessed, modified and improved to remain fit for purpose and compliant.

Operating to the highest standards

Certification demonstrates that a business operates to the highest global standards. However, to obtain the maximum benefit from any investment in this area it is important to work with a certification body that has had its own technical competence, impartiality, performance capability and integrity assessed to internationally recognised standards. 

The United Kingdom Accreditation Service (UKAS) is the only national accreditation body recognised by the UK government to assess the offices, records, processes and people of those that provide certification services. 

Using a UKAS accredited certification body sends out a strong message that a company is serious about the markets it operates in, will not compromise integrity, and will do all it can to enhance its professional reputation. In many respects, working with a UKAS accredited certification body adds another layer of excellence to ISO and BS standards.

Just as importantly, using a certification body that operates globally, understands a diverse range of industries and has expert auditors, means that a client can be reassured that they are getting the very best advice, support and direction. A certification body should adopt strict principles of continual improvement and innovation in order to support its clients’ operations.

Take data protection seriously

Data protection is now the subject of intense scrutiny and should be taken seriously, particularly if the GDPR applies. Having a rigorous ISO/IEC 27001 certified ISMS and a BS 10012 certified PIMS in place is highly recommended, as ignoring the subject could not only prove financially catastrophic, it could put an organisation’s very existence in jeopardy.