The European Union (EU) General Data Protection Regulation (GDPR) requires organizations across the globe who manage EU data subjects’ information to implement numerous privacy and security policies and controls designed to protect personal data. As part of an organization’s GDPR compliance program, thorough reviews of existing privacy and security policies and the frameworks on which they are based must be conducted.
However, the GDPR provides minimal implementation guidance for these measures, which has prompted many organizations to adopt industry-recognized privacy and security frameworks to help them align with the GDPR. This post looks at how International Organization for Standardization (ISO) standards and National Institute of Standards and Technology (NIST) frameworks can assist companies who must comply with the GDPR.
Leveraging ISO 27001/27002 to Meet GDPR Requirements
Which ISO standards will help me align with the GDPR?
ISO has a set of international management standards dedicated to keeping information assets secure (ISO 27000). The most recognized standard in the set is ISO 27001, which provides a proven framework for managing sensitive information through the use of an information security management system (ISMS). ISO 27001 and 27002 contain sections on security measures for incident management, network access, and more.
How do the ISO 27000 standards align with the GDPR?
Although there will need to be some adjustments, privacy programs that comply with the ISO 27000 family of standards should align closely with many of the articles of the GDPR. The framework provides a standard for organizations to evaluate their current processes and policies against, so they can identify and mitigate risks, improve procedures that are deemed ineffective, and better protect data subject information.
Article 32(1)(b) of the GDPR, for example, mandates that organizations must be able to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. To meet this requirement, many organizations will need to take steps to enhance their security program and corresponding information security policies.
Article 32(1)(d) of the GDPR requires the implementation of a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure the security of processing. ISO 27001 covers the core components of data security – people, processes, and technologies – and provides guidance on what controls and policies should be in place to safeguard data.
As organizations build their GDPR-mandated security assessment programs, using relevant sections of ISO 27000 to evaluate the effectiveness of their security measures will prove useful.
Can we use ISO 27000 standards to comply with the GDPR?
Because ISO 27000 is a widely-adopted, international industry standard and best practice, it will likely prove to be the most applicable standard under the GDPR. These standards are also periodically updated, and as threats and risks evolve, so should the organization’s defenses. However, some articles within the GDPR are not covered under ISO 27000, such as the data subject’s rights to transfer or erasure, and additional provisions will need to be made.
Download our quick guide to ISO 27000 and the GDPR to see how they align.
Can We Leverage NIST Frameworks to Meet GDPR Requirements?
The short answer is that the newly updated NIST Risk Management Framework (RMF) and Special Publication 800-53 (SP 800-53) can help organizations align with the security requirements of the GDPR.
Here’s the longer answer:
Many organizations, primarily those based in the U.S., leverage NIST frameworks like SP 800-53, the Cybersecurity Framework (CSF), and the RMF. These frameworks were initially designed for federal agencies but are now leveraged by many commercial organizations. In early May, NIST released a draft update to the RMF, which emphasizes the need for organizations to develop holistic cyber security programs that include both privacy and security components.
The update to the RMF provides a connection to the CSF. Previously, many companies were implementing them separately, but the update cross-references the two, which will allow companies to align them more easily and provide an effective methodology for managing security and privacy risks. For companies looking to build industry-standard cyber security programs that meet GDPR requirements, the update to the RMF could aid them in their efforts. (Note: The CSF also provides a mapping to ISO 27001, which may be of interest to some.)
NIST SP 800-53 provides a library of privacy and security controls that supports organizations in building security and privacy programs that effectively maintain control over data across its lifecycle, including inbound and outbound data flows. The RMF update provides a disciplined, structured process for selecting controls from this catalog, helping organizations determine the controls they need to apply, based on their unique structure, regulatory requirements, and threat landscape.
The update also highlights the importance of integrating security and privacy controls during the early stages of information systems development, making the tracking of security and privacy requirements more efficient. Levels 1 and 2 of the RMF push organizations to establish categorization and organization methods for assessing risks, while Level 3 leverages these established methods to assess, prioritize, and address the risks surrounding these systems.
Although NIST frameworks are not international standards, they can be used to meet many of the GDPR’s requirements; however, organizations will have to carefully compare them against the GDPR to identify any gaps. But the RMF’s new emphasis on data privacy and clearer guidance on selecting and implementing robust privacy controls, policies, and procedures could help companies determine where this framework aligns with the GDPR more easily.
Download our quick guide to NIST and the GDPR to gain a better understanding of how the two align.
The GDPR is a highly complex piece of legislation with harsh penalties for non-compliance. But it is important for organizations to understand that there are existing privacy and security frameworks that can aid in their transition to the GDPR. ISO 27000 is an international standard that EU DPAs already recognize and generally accept. For organizations who currently use NIST frameworks, analyzing where these align with the GDPR and identifying any gaps will be a significant help in maintaining compliance with GDPR requirements.
Disclaimer: Focal Point Data Risk, LLC is not a law firm and does not provide legal advice. This content is intended for informational purposes only.
Want more insights into the GDPR?
Subscribe to Focal Point's Privacy Pulse below - a once-a-month newsletter with guides, webinars, interesting white papers, and news all focused on data privacy. You can unsubscribe at any time.