Are you adequately covering GDPR within your ISMS?
TRENDING
PUBLISHED on
22
July
2022
SUMMARY
We have seen an increased focus on the General Data Protection Regulation (GDPR) by certification body (CB) assessors when conducting ISO 27001 audits. In the past, assessments typically focused on whether organisations were registered with the Information Commissioner’s Office (ICO), whether they were complying with the ‘Privacy and protection of personally identifiable information’ (ISO 27001 Annex A control 18.1.4), and whether they had developed and implemented a legal and regulatory register and a data protection policy.
However, since the GDPR came into force, we have seen an expectation from CBs, understandably, for a more robust approach where:
- The GDPR is referred to in the stated ‘risks and opportunities’ (ISO 27001 Clause 4 and 6.1.1) and whether the organisation needs to take action under Article 3 (main establishment/territorial scope)
- The GDPR is taken into account under ‘Planning’ (ISO 27001 Clause 6)• Resources (and competencies) are assigned /made available to the data protection officer (DPO) role under ‘Support’ (ISO 27001 Clause 7)
- A process is defined for dealing with all types of data subject requests (ISO 27001 Annex A Control 18.1.4) and the data subject access request (DSAR) process in particular
- An information security breach process includes steps for notifying the ICO, i.e., ‘Reporting information security events’ (ISO 27001 Annex A, A.16)
- Data transfers to non-UK and non-EEA countries are addressed within ‘Supplier relationships’ controls (ISO 27001 Annex A, A.15 controls) and contracts. This links back to risks and opportunities (ISO 27001 Clause 6.1) in terms of the impact of the ECJ’s ruling in the Schrems II case and the use of the ICO’s International Data Transfer Agreement (IDTA) and the EU standard contractual clauses (SCCs), and whether these are sufficient, particularly to cover onward transfers within the supply chain. The IDTA, the EU clauses and the SCCs’ Annex II commitments to security measures should also be formalised to safeguard internal, inter-group transfers
- Security and privacy (i.e., privacy by design and default) are considered under ‘System acquisition, development and maintenance’ controls (ISO 27001 Annex A, A.14 and A.6.1.5)
- Personal data retention periods are specified under ‘Protection of records’ (ISO 27001 Annex A, A.18.1.3).
Whilst it can be argued that all of the above measures are appropriate and part of adequate and sensible planning, it does represent a significant step change in the expectations of the CBs.
How URM can help?
Consultancy
Do you need assistance in improving your GDPR compliance position?
URM can offer a host of consultancy services to improve your DP policies, privacy notices, DPIAs, ROPAs, data retention schedules and training programmes etc.
Read more
Training
Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!
By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
Read more
Consultancy
Does your organisation fully comply with the General Data Protection Regulation (GDPR)?
If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Read more
related BLog posts
Data Protection
Published on
25/7/2022
In-house Resource vs Virtual DPOThis blog takes a look at DPOs and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.
Read more
Data Protection
Published on
30/8/2024
The ICO Issues its First Notice of Intention to Fine a Data ProcessorURM’s blog explores the first provisional monetary penalty imposed by the ICO exclusively on a data processor & the lessons that can be learned from the case.
Read more
Data Protection
Published on
14/11/2025
ICO’s Appeal in Clearview AI Case UpheldURM’s blog examines the impact of the latest ruling from the Upper Tribunal in the Clearview AI case, and the cross-border GDPR enforcement gap it exposes.
Read more
I am pleased to share my experience with the Cyber Essentials Plus (CE+) Scheme. This certification has been invaluable to Case Pilots in helping us protect ourselves from cyber threats. The comprehensive and user-friendly process provided by URM Consulting gave me a deep understanding of the latest threats, vulnerabilities and best practices in cyber security. The assessors were highly knowledgeable, experienced and able to explain each step of the process clearly and concisely. What I particularly appreciated about the CE+ scheme was its relevance to the real world. The training covered not only the fundamental principles, but also advanced techniques and strategies that are used by professionals to protect their systems and data. Achieving the certification demonstrates to our clients that we are committed to cyber security and that we have the knowledge and skills to protect their data. I highly recommend the Cyber Essentials Plus Scheme to any organisation that is serious about cyber security.
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.