What is the GDPR?
The EU's General Data Protection Regulation (GDPR) is the result of four years of work by the EU to bring data protection legislation into line with new, previously unforeseen ways that data is now used.
Why was the GDPR drafted?
The drivers behind the GDPR are twofold. Firstly, the EU wants to give people more control over how their personal data is used, bearing in mind that many companies like Facebook and Google swap access to people's data for use of their services. The current legislation was enacted before the internet and cloud technology created new ways of exploiting data, and the GDPR seeks to address that. By strengthening data protection legislation and introducing tougher enforcement measures, the EU hopes to improve trust in the emerging digital economy.
Secondly, the EU wants to give businesses a simpler, clearer legal environment in which to operate, making data protection law identical throughout the single market (the EU estimates this will save businesses a collective €2.3 billion a year).
Who does the GDPR apply to?
'Controllers' and 'processors' of data need to abide by the GDPR. A data controller states how and why personal data is processed, while a processor is the party doing the actual processing of the data. So the controller could be any organisation, from a profit-seeking company to a charity or government. A processor could be an IT firm doing the actual data processing.
Even if controllers and processors are based outside the EU, the GDPR will still apply to them so long as they're dealing with data belonging to EU residents.
It's the controller's responsibility to ensure their processor abides by data protection law and processors must themselves abide by rules to maintain records of their processing activities. If processors are involved in a data breach, they are far more liable under GDPR than they were under the Data Protection Act.
What are your options?
Certifications are a new feature of formal EU GDPR data protection law. The Regulation expressly recognises certifications from approved and accredited certification bodies as acceptable mechanisms for demonstrating compliance. Certifications can be scalable and there are choices available, depending on the size and nature of the organisation. Certification schemes serve as useful declarations of assurance for consumers interested in engaging with commercial entities that adhere to desired principles and practices.
ISO 27001 is the information security standard
ISO 27001 Information Security Management Systems is the international best practice standard for information security. ISO 27001:2013, the current version of the standard, provides a set of standardised requirements for an information security management system (ISMS). ISO/IEC 27018:2014 establishes commonly accepted control objectives, controls and guidelines for implementing measures to protect personal data and in particular, it specifies controls within ISO/IEC 27001, taking into consideration the regulatory requirements for the protection of personal data.
ISO 27001 certification is suitable for any organisation, large or small, and in any sector. The standard is especially suitable where the protection of information is critical, such as in the banking, financial, health, public and IT sectors. The standard is also very applicable for organisations which manage high volumes of data or information on behalf of other organisations such as data centres and IT outsourcing companies.