Six steps to leverage ISO and Information Security to ease GDPR pressures

15 January 2018 5 min. read
More news on

While organisations brace for the impact of GDPR, there are ways of being more agile with the post-implementations phase, according to an expert at consulting firm RGP. In order to reduce the large potential costs of keeping compliant with the new rules, firms could leverage the existing ISO certified Information Security Management System to get quicker insights into what is needed and what needs to be changed, according to Jan Ermens, a consultant with RGP.

In May 2018, the long-heralded GDPR comes into effect. The huge change in privacy law and data management is predicted to have a big impact on businesses around the world – and compliance with the new rules could cost large companies millions in investments. However, as costly as compliance seems, it pales in comparison with the potential fines which could be levied on unprepared businesses. Companies that fail to comply will face punitive reckoning, should they fall foul of the EU’s General Data Protection Regulation after May 25th.

As a result, many organisations are currently scrambling to become GDPR-compliant, with good reason. As the clock runs down, GDPR initiatives pose some significant challenges which are not easily addressed thanks to the cost and narrowing timeline, as well as a lack of clarity regarding whose responsibility it is in an organisation to achieve GDPR compliance. Businesses also need to overcome low levels of confidence when identifying risks, and consider compliance beyond the May 2018 deadline – as many GDPR projects are not sufficiently future-proof, according to Jan Ermens, a consultant at RGP.

Speaking on the growing pressures of GDPR-related workloads, Ermens commented that there is a bright-side however. According to the management consultant, who specialises in information management, organisations don’t need to reinvent the wheel when designing and putting in place processes and systems. The preparation for GDPR could instead be eased by organisations making efficient and effective use of their pre-existing Information Security Management System (ISMS).

Six steps to leverage ISO and Information Security to ease GDPR pressures

“ISMS is often closely aligned with (parts of) ISO27001, a certifiable international best practice to protect an organisation’s information by implementing controls which encompass people, processes, and technology,” Ermens said, adding, “An ISO27001 certified ISMS is supported by top leadership and is part of the organisation’s culture and strategy. It uses a risk-based approach which is constantly monitored, updated, and reviewed. By continually identifying and reducing risks, your organisation will be able to ensure that information will be adequately protected in changing circumstances.”

To serve the purpose of demonstrating that the organisation is actively managing its data security in line with international best practice, the GDPR includes points that encourage the use of certification schemes like ISO 27001. This in particular could present a major opportunity area for teams preparing for GDPR compliance.

Six step process

Ermens’ advice suggests that companies may well discover that they already have substantial controls in place that protect personal data, thanks to previous data protection regulations and an increased impetus on privacy in the age of information. Instead of then implementing controls indiscriminately to reduce data breach risks, firms could implement effective and adequate security measures, based on the outcomes of a formal risk assessment which is part of their pre-existing ISMS. As a result of this, organisations could well stand to save on time and money, while future GDPR-compliance can be automatically incorporated into their existing ISMS.

Six steps are recommended by Ermens in order to best leverage ISMS when seeking GDPR-compliance. The first step is to identify where personal data resides and where and how it is processed. Then, firms should identify the risks which could cause a breach of that personal data. After this, organisations should look to mitigate said risks by applying appropriate measures and controls.

The fourth step sees companies actually implementing policies and procedures to support the controls. This is not the end of the process however – and stopping here could see insufficient future-proofing for compliance beyond the initial implementation of the GDPR. Ermens instead suggests that firms take a fifth step of regularly testing and auditing the effectiveness of controls, before finally reviewing risks, and reporting and updating their plans on a regular basis, as part of their ISMS.

Ermens, who is a former Project Manager for Information Security with NSW Treasury, concluded; “Our experience at RGP shows that leveraging an ISMS takes less effort and leads to a higher success rate of GDPR-compliance initiatives. It will substantially increase the level of confidence of having covered all risks and makes sure GDPR-compliance is part of your organisation’s management framework.”