Even though GDPR is right around the corner, it makes a lot of sense - practically and financially - to maintain your traditional information security measures, because compliance with the Data Protection Regulation both can and should build upon your existing security measures.
The EU, authorities, politicians, and others with a stake in data security, have managed to put GDPR at the top of the list for many private and public organisation. That’s very positive. However, this focus on GDPR has unfortunately meant that some organisations have neglected the necessary maintenance of their traditional information security, says Jakob Holm Hansen, CEO at Neupart. Instead of working with information security and data protection on two parallel tracks, Jesper encourages organisations to build upon the foundation of existing information security processes. For many public and private organisations, those will often be based on the ISO 27001 standard.
Struggle to cover everything
“When we ask organisations how far along they are in their GDPR preparations, they often tell us they struggle to tick all the boxes before May next year. As a result, they often neglect their ISO maintenance,” says Jakob.
It's not because organisations have any intentions of setting aside the information security they have built up over the years. There are just too many that don’t build their GDPR compliance upon their existing security measurements, even though that’s exactly what they should be doing.
“The ICO has already emphasized that the GDPR is an evolution in data protection, meaning it builds upon established best practices. By bridging the gap instead of starting from scratch, you save both time and energy,” explains Jakob Holm Hansen.
Parallels Between the ISO Standards and the GDPR
If you dig a little deeper into the Data Protection Regulation, article 32 specifically focuses on information security and how organisations should meet new requirements in the regulations. It says, among other things, that as a Data Controller you must have adequate technical and organisational measurements in place. These measurements can be implemented with help from both the ISO 27001 and ISO 27002 standards for information security.
The regulation requires that you can ensure confidentiality, integrity, and accessibility and that you can re-establish access to personal data. These are all classic requirements within the world of information security.
Lastly, the GDPR focuses on building your safety measures on the most direct risks. It’s this same risk-based practice that is the foundation of the ISO 27001 standard.
Don’t Throw the Baby Out!
In other words, you shouldn’t throw the baby out with the bathwater when it comes to information security, GDPR, and personal data protection. Many public and private organisations are already following the right processes, and they simply need to keep doing that.
As Jakob Holm Hansen says: “The better you maintain your existing information security, the closer you are to automatically complying with the Data Protection Regulation.”
Want to Get Started on Your GDPR Compliance?
Check out our neupartOne ISMS, which is built for privacy and GDPR. It contains all the documents, policies, and other templates you need - and the best thing; they are already packed with content, that you only need to customize a tiny bit to make it fit your business.