GDPR is a stringent legal framework protecting personal data rights for individuals within the European Union. The provision of a formal Data Protection Impact Assessment is the primary implementation requirement, delivering the business benefit of sustained regulatory compliance, reduced financial risk, and enhanced global stakeholder trust.
What is GDPR?
The General Data Protection Regulation (GDPR) is a law that protects the personal data of people in the European Union (EU). It gives people more control over their own information. Companies must follow strict rules for collecting, storing, and using personal data. The law makes sure that companies are open and honest about what they do with personal information.
Examples
- Cookie pop-ups: When you visit a website, you often see a message about cookies. This message asks for your permission to collect your data. That’s because of GDPR.
- Data breach notice: If a company that has your information gets hacked, they must tell you right away. The law requires them to tell people if their data was exposed.
- “Right to be forgotten”: You can ask a company to delete all your personal data. For example, you can contact an online store and ask them to remove your address and order history.
- Clear privacy policies: Companies must have easy-to-read privacy policies that explain what information they collect and why. These policies can’t be full of confusing legal words.
Context
The GDPR became a law on May 25, 2018. It replaced an older law from 1995. The old law was not good enough for the internet age. The new law was created to deal with how much data companies collect online today. The main goal of GDPR is to make sure that people’s right to privacy is respected. It applies to any company in the world that handles the data of people in the EU, not just companies located there. The law also gives authorities the power to issue large fines to companies that don’t follow the rules.
How to implement GDPR
1. Provision a Data Protection Impact Assessment (DPIA)
Provision a formal DPIA process to identify and mitigate risks associated with high-risk data processing activities: This process ensures that privacy by design is integrated into every technical project from the outset. Key requirements include:
- Documenting the necessity and proportionality of data processing operations.
- Identifying specific technical risks to the rights and freedoms of data subjects.
- Setting the foundational risk treatment plan required for Clause 6.1.2.
2. Audit the Information Asset Register for PII
Audit the centralised Asset Register to identify 100% of the data sets containing personal data: You cannot protect what you have not identified, making this step critical for Annex A 5.9 compliance. Technical actions include:
- Mapping data flows between internal systems and third-party cloud service providers.
- Categorising PII based on sensitivity, such as health data or financial records.
- Documenting the physical and logical location of all personal data repositories.
3. Formalise Privacy Notices and Consent Mechanisms
Formalise citable privacy notices that clearly communicate how the organisation processes personal data: This ensures transparency and meets the legal requirements for informed consent under GDPR Article 13. Requirements involve:
- Updating website privacy policies to include data retention periods.
- Implementing granular consent checkboxes for marketing and data sharing.
- Ensuring all notices are written in plain, accessible English (United Kingdom) grammar.
4. Appoint a Data Protection Officer (DPO)
Formalise the appointment of a DPO to oversee data protection strategy and implementation: This role provides the independent oversight required by GDPR and aligns with ISO 27001 governance requirements. Key actions include:
- Defining the DPO’s reporting line directly to senior management.
- Assigning formal roles and responsibilities within the ISMS for data protection.
- Establishing the DPO as the primary point of contact for regulatory authorities.
5. Enforce Encryption and Multi-Factor Authentication (MFA)
Enforce technical controls to protect PII at rest and in transit: This technical safeguard is a primary expectation for auditors evaluating Annex A 8.24 cryptographic controls. Implementation steps involve:
- Mandating AES-256 encryption for all databases containing personal data.
- Provisioning Multi-Factor Authentication (MFA) for 100% of administrative access to PII.
- Utilising TLS 1.3 for all data moving across public or internal networks.
6. Formalise Data Subject Access Request (DSAR) Procedures
Formalise a structured workflow to respond to DSARs within the mandatory 30-day window: This ensures the organisation can efficiently uphold the rights of individuals to access their data. Technical requirements include:
- Implementing automated search tools to locate PII across the technical estate.
- Training staff on how to recognise and escalate a DSAR immediately.
- Documenting the verification process to ensure data is only released to authorised individuals.
7. Audit Data Processing Agreements (DPA) for Vendors
Audit 100% of third-party contracts to ensure a valid DPA is in place: This manages supply chain risk and ensures that vendors handle PII according to your security standards. Implementation steps involve:
- Reviewing existing Service Level Agreements (SLAs) for GDPR compliance clauses.
- Enforcing Right to Audit clauses in all high-risk external contracts.
- Mapping the international transfer of data to ensure valid legal frameworks are used.
8. Provision Mandatory Security Awareness Training
Provision regular data protection training for all employees and contractors: This reduces the risk of human error, which accounts for the majority of GDPR breaches. Training requirements include:
- Conducting simulated phishing exercises to test staff vigilance.
- Providing specific training for IAM roles with access to sensitive data sets.
- Recording attendance as objective evidence for the ISO 27001 certification audit.
9. Formalise Data Breach Notification Procedures
Formalise a specific incident response playbook for personal data breaches: This ensures the organisation can meet the 72-hour regulatory notification requirement. Technical actions include:
- Configuring automated alerts for unauthorized access to PII repositories.
- Defining a breach response team with citable roles and responsibilities.
- Conducting annual tabletop exercises to test the speed of the notification process.
10. Revoke and Audit Data Retention Schedules
Revoke access to and Audit the deletion of data that has exceeded its retention period: This ensures compliance with the GDPR principle of storage limitation. Implementation involves:
- Implementing automated data deletion scripts for legacy records.
- Conducting annual spot checks to verify that “Data at Rest” is properly purged.
- Updating the Asset Register to reflect the current status of deleted information.
GDPR FAQ
What is the relationship between ISO 27001 and GDPR?
ISO 27001 serves as a technical framework to satisfy approximately 80% of GDPR requirements. While GDPR is a legal mandate for protecting PII, ISO 27001 provides the Information Security Management System (ISMS) necessary to implement the technical and organisational measures required by Article 32.
Is ISO 27001 certification enough for GDPR compliance?
No, ISO 27001 certification does not guarantee 100% GDPR compliance, although it provides a substantial foundation. Organisations must still address specific GDPR legalities such as appointing a Data Protection Officer (DPO), managing Data Subject Access Requests (DSARs) within 30 days, and maintaining an Article 30 record of processing activities.
How long do I have to report a GDPR data breach under ISO 27001?
Under GDPR Article 33, you must notify the relevant supervisory authority (such as the ICO) within 72 hours of becoming aware of a personal data breach. ISO 27001 Control 5.24 supports this by requiring formalised incident response playbooks that mandate immediate internal escalation and technical containment.
What are the maximum fines for GDPR non-compliance?
GDPR administrative fines can reach a maximum of €20 million or 4% of annual global turnover, whichever is higher. Implementing ISO 27001 reduces financial risk by providing citable evidence of “Due Diligence” to regulators, potentially mitigating penalties by demonstrating a proactive approach to technical security.
What mandatory technical controls does GDPR require?
GDPR mandates several technical safeguards that align directly with ISO 27001 Annex A. To achieve a high density of protection for personal data, organisations must implement the following:
- Encryption: Utilising AES-256 for data at rest and TLS 1.3 for data in transit (Annex A 8.24).
- Access Control: Enforcing Multi-Factor Authentication (MFA) for 100% of administrative PII access.
- Pseudonymisation: Ensuring that data cannot be attributed to a specific subject without additional info.
- Vulnerability Management: Conducting authenticated scans monthly to identify technical gaps.
Related ISO 27001 Controls
| Related ISO 27001 Control / Concept | Relationship Description |
|---|---|
| ISO 27001 Annex A 5.34: Privacy and Protection of PII | Core Alignment: This is the primary control for GDPR compliance, as it mandates that the organization identifies and follows all applicable laws and regulations regarding the privacy and protection of personal data. |
| ISO 27001 Annex A 5.31: Legal and Regulatory Requirements | Legal Basis: Since GDPR is a legal framework, this control requires organizations to explicitly identify it as a mandatory requirement and ensure the ISMS is designed to meet its obligations. |
| ISO 27001 Annex A 5.33: Protection of Records | Data Handling: Personal data often constitutes “records” that must be protected from loss, destruction, or unauthorized access, aligning with GDPR’s storage limitation and security principles. |
| ISO 27001 Annex A 5.5: Contact with Authorities | Breach Reporting: GDPR mandates notifying supervisory authorities (like the ICO) in the event of a significant data breach. This control ensures the organization has established the necessary communication channels. |
| ISO 27001 Annex A 5.26: Response to Incidents | Accountability: Requires a structured process to handle security events, which is essential for meeting the GDPR requirement to detect, investigate, and report data breaches within 72 hours. |
| Glossary: Privacy and Protection of PII | Related Concept: Defines Personally Identifiable Information (PII), which is the specific type of “personal data” that the GDPR is designed to protect. |
| Glossary: Breach | Impact: A data breach is the primary risk GDPR seeks to mitigate; understanding this term is vital for implementing the law’s notification and security requirements. |
| ISO 27001 Glossary of Terms (Main Index) | Parent Directory: The central index where GDPR is listed as a critical external legal issue and regulatory requirement for modern information security. |
The Tools We Use.
100% Audit Success. Zero AI Guesswork.
About the author
