Last Updated on January 10, 2024
Data protection—safeguarding the personal data of customers, employees, and other stakeholders—is the focus of privacy regulations like the EU’s GDPR and California’s CPRA. Data protection is also a primary goal of any information security program.
Does this alignment around data protection mean that a comprehensive information security framework like ISO 27001 can support compliance with privacy laws?
This article explores the link between ISO 27001 and data protection, including how ISO 27001 supports privacy compliance.
What is data protection?
Data protection is about securing personal data from misuse, loss, or damage. This includes any data that can be associated with individuals or used to uniquely identify them, including Social Security number, driver’s license number, email address, gender, ethnicity, family members’ names, fingerprints, photos, healthcare data, political beliefs, and much more.
Besides keeping data secure, data protection must also support rules to protect individuals’ privacy rights. These rights often include:
- The right to access, correct, erase, or transfer their personal data
- The right to withhold or withdraw consent to hold or process their personal data
- Data breach notification requirements designed to protect individuals
- A requirement for organizations to name a data protection officer to serve as a privacy advocate
A key tenet of data protection activities is data lifecycle management. This is the process of automating how, where, and when data is stored, cataloged, backed up, and deleted. Also important is data availability—making sure that data subjects, business users, and other stakeholders can always access their personal data on request.
How is data protection different from information security?
Data protection and information security seem like they could be synonymous terms. They overlap but do not mean the same thing.
Data protection, also called information protection or information privacy, focuses on compliance with individuals’ applicable privacy rights. Often this includes the right to determine or limit how ones’ data is used.
Information security, often called cybersecurity, is more broadly focused on safeguarding all kinds of sensitive data, not just personal data. This includes digital data, voice recordings, images, and hardcopy material. Keeping information secure means preventing its theft, destruction, loss, damage, misuse, or unauthorized access.
Another subset of information security is IT security—protecting electronically stored data and associated IT systems. This includes securing digital data while it is being moved or processed.
How can ISO 27001 help with data protection and privacy compliance?
As the international “gold standard” among independently attested information security certifications, ISO 27001 fundamentally helps businesses protect personal data by providing a best-practice framework for identifying, evaluating, and mitigating information security risks—including those related to personal data.
As a “certifiable” framework, ISO 27001 also helps organizations demonstrate compliance with privacy laws as well as other cybersecurity regulations.
Specific areas where an ISO 27001 certified information security management system (ISMS) directly supports data protection and privacy law compliance include:
- Helping you identify and manage personal data, including where and for how long it is stored, and who can access it
- Making sure personal data is always available and its integrity and confidentiality are maintained
- An emphasis on risk assessment, which ensures that risks to personal data are identified and addressed
- Mandating that suppliers and other third parties protect personal data assets they have access to
- Requiring breach notification practices similar to GDPR and other privacy laws
- Greatly reducing the likelihood and severity of a data breach involving personal data
Does an ISO 27001 certification make us compliant with privacy laws?
Does compliance with ISO 27001 “automatically” make an organization compliant with GDPR or other privacy laws?
Most likely not. For example, many privacy laws mandate requirements to support privacy rights, such as the right to request deletion of one’s data (the so-called “right to be forgotten”). ISO 27001 does not specifically address these privacy requirements.
However, ISO 27001 compliance would be a major step toward compliance with any privacy law. This is why GDPR requires companies to apply cybersecurity best practices, such as ISO 27001 compliance, to minimize the risk of a data breach.
What additional controls might an ISO 27001 certified organization need to achieve compliance with GDPR, CPRA, or other privacy legislation? The usual first step is to conduct a gap assessment to identify privacy-related controls or capabilities that you currently lack.
How can ISO 27701 help with privacy compliance?
As part of the ISO 27000 “family of standards,” ISO 27001 offers the ability to “add on” controls to support specialized cybersecurity requirements in areas like data privacy and cloud computing.
ISO 27701 is a unique “certifiable extension” to ISO 27001 for privacy information management. By implementing ISO 27701 controls, an ISO 27001 certified organization can extend its ISMS to incorporate a privacy information management system (PIMS). This includes both protecting and processing personal data.
By implementing the ISO 27701 controls and certifying a PIMS alongside its ISMS, an organization can potentially meet all its privacy compliance requirements.
To get started on a gap assessment of your current environment, or to find out more about getting ready for data protection and privacy compliance, contact Pivot Point Security.