Companies today face increasing pressure to implement strong cybersecurity controls. While the U.S. has no comprehensive cybersecurity law, many organizations still fall under state, international, or industry regulations. Two of the most prominent controlling publications are the General Data Protection Regulation (GDPR), and the ISO 27701 standard. One has the force of law, and the other is a guiding framework, respectively.
Both of these documents apply to an increasing number of businesses. As the world grows more interconnected and reliant on digital data, the reach of these documents is expanding as well. It becomes critically important to understand how each might affect one’s organization.
What Do ISO 27701 and GDPR Cover?
On the surface, ISO 27701 and GDPR are entirely different. The GDPR is a mandatory regulation for companies handling European data, and ISO 27701 is an extension of an optional certification, ISO 27001. Despite their differences, they contemplate many of the same considerations.
The GDPR and ISO 27701 both aim to strengthen data privacy, and to that end, they have many similar requirements. Both emphasize risk assessment, data confidentiality, record-keeping, and minimizing privacy risks at every stage.
Both also prescribe responsibilities for breaches. Under the GDPR, businesses have 72 hours to report a breach, and ISO 27701 indicates that companies should contact authorities quickly, but doesn’t specify a timeframe.
While there is much overlap between the two, the GDPR is a broad regulation. ISO 27701 is narrower in scope, but it offers more specific actions than the GDPR. Both can be crucial tools for any organization dealing with customer data, and in some cases, can have substantial ramifications.
How Will ISO 27701 Affect Your Organization?
Even though ISO 27701 is an optional certification, and not a law, it can still have a significant impact on some organizations. As cybersecurity becomes a more prominent issue, more companies will expect higher standards from their partners. Consequently, being ISO 27701-certified could help businesses gain strategic partnerships, and lacking certification may drive potential partners away. ISO 27701 certification can be used as a stepping-stone towards attaining GDPR compliance. The process of achieving ISO 27701 certification can also be an excellent way to corroborate an organization’s GDPR compliance, without legal consequences if any gaps are discovered.
If a company decides to seek out ISO 27701 certification, it could bring some disruption. Businesses must first have an ISO 27001 certification, which requires implementing specific security measures, including an information security management system (ISMS), and a formal risk assessment. Meeting these requirements will take time and require the implementation of a security infrastructure which some companies don’t already have.
For example, in order to achieve certification, ISO 27701 requires organizations to accommodate user rights to access, correct, and erase their personally identifiable information (PII). If companies don’t already have a platform that gives users this power, they’ll have to restructure their system.
How Will the GDPR Affect Your Organization?
As a legal requirement, GDPR’s potential impact on an organization is far greater. Non-compliance could result in hefty fines. In fact, GDPR regulators have already imposed more than $126 million in penalties since May, 2018. American companies may believe they’re safe from any repercussions, as the GDPR is a European regulation, but it applies to many U.S. operations as well.
The GDPR applies to any business that serves E.U. residents, regardless of the company’s location. This point may catch some organizations off-guard. An American company may ignore GDPR compliance as it primarily operates in the U.S., but if it has any E.U. customers, it must comply. As a result, an organization could receive an audit and subsequent fines when they thought they were outside the GDPR’s jurisdiction.
Like IS0 27701, the compliance process may bring some initial disruptions as well. Organizations will have to ensure they give users more visibility and control and enact stricter confidentiality and security measures. Depending on what the company’s current systems look like, that could take time.
How Can You Prepare for ISO 27701 and the GDPR?
If an organization must comply with the GDPR, or is seeking ISO 27701 certification, it should start preparing now. Companies can even pursue both simultaneously, which can be helpful, as ISO 27701 outlines some specific measures that help expand on GDPR’s more vague requirements. For example, GDPR may define the basic principles for data collection and processing, but ISO 27701 contains several clauses that further define data security.
With both regulations, companies should start by finding how far they need to go. Comparing current measures to what these declarations require can provide a roadmap for what a business must change, and what can stay the same. To do that, organizations can turn to a qualified third-party cybersecurity expert who can review their security systems and recommend improvements.
Most of the specific directives in both ISO 27701 and GDPR boil down to keeping PII private, and giving users more control over it. If companies keep their customers’ data rights in mind throughout every system design choice, they’ll make better decisions.
Every time an organization considers changing something in their system, they should first consult relevant guidelines, and applicable regulations. Ensuring these changes won’t jeopardize compliance is crucial for ongoing operations.
Stay Compliant and Secure
Standards, like ISO 27701, and regulations such as GDPR, are becoming increasingly common and stringent. Organizations must understand, and prepare to ensure they stay safe, and in good standing. Meeting the requirements can help companies bring in more business and remain secure, while missing them can result in lost business, and in extreme cases, fines.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
