How can ISO 27001 help with GDPR?
Organisations have until 25th May 2018 to comply with the General Data Protection Regulation (GDPR). GDPR is driving businesses to adopt appropriate policies, procedures and processes to protect the personal data they hold and security of processing is integral to it. Article 32 of GDPR states:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Article 32 further requires risks “from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data” to be identified and mitigated.
This is where ISO 27001 can really help. An effective Information Security Management System (ISMS) that conforms to ISO 27001 will meet the above requirements as it preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.
A company that has implemented ISO 27001 has already done more than half the job of achieving GDPR compliance. They have the technical & organisational security measures in place and a management system for dealing with change, incidents, ongoing review and more. ISO 27001 does not address all GDPR requirements, however it is an excellent framework for demonstrating that an organisation has a security system and plan to enhance security, and thereby comply with a significant part of GDPR.
To summarise how ISO 27001 can help meet some of GDPR requirements, we have put together a simple infographic. Download it here.
Workbooks, ISO 27001 and GDPR
You may ask: What about Workbooks? How have you prepared for the imminent legislation?
1. Our organisation already has strong processes and procedures in place to protect all data, including personal data.
Workbooks is ISO 27001:2013 certified. Our certification specifically references the design, development, implementation and support of cloud-based CRM software as a service and bespoke business applications. With this independently assessed ISO standard, we are demonstrating our commitment to:
- Protecting information from getting into unauthorised hands
- Ensuring information is accurate and can only be modified by authorised users
- Assessing the risks and mitigating the impact of a breach
- Ensuring we have the right procedures and measures in place to support and drive information security.
2. With the GDPR deadline rapidly approaching, we have updated our Terms of Service to reflect the new legal requirements.
These are available on our website here.
3. We have recently added new functionality into Workbooks CRM to help organisations (and ourselves) meet some of the GDPR obligations.
For clarity, using Workbooks products won’t make you ‘GDPR compliant’, but by managing personal data inside our platform, we believe we can make it much easier to comply with the rules.
We have created a ‘Compliance Record’. This record, connected to People and Leads in Workbooks (where you typically store personal data), allows you to record and evidence on what legal grounds you are processing personal data. The Compliance Record helps you understand which records inside your CRM database you have valid legal grounds to process and which you may not. We have tied the concept of compliance into the email marketing tool we provide, so you will only be able to send a mailshot to those individuals who have valid Compliance Records, safeguarding you from any unfortunate error. This ‘GDPR Mode’ is an option you can turn on or off, depending on your requirements. We offer customers the ability to implement preference centres to better manage people’s preferences and accuracy of data. And we are also offering ‘GDPR readiness’ professional services packages to help you get all of the processes and workflows in place in order to drive compliance. The first of these packages is designed to help you with your Supplier Management, Data Management and management of Data Subjects Rights & Freedoms requests.
To find out more, please contact us at 0118 3030100 or if you are an existing Workbooks Customer, please contact your account manager.