The Cove Business Standards Discussion Forums
GDPR (General Data Protection Regulation) - My company is ISMS certified
Please read this thread...
Software update
GDPR (General Data Protection Regulation) - My company is ISMS certified
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > >
Forum Username

Elsmar Cove Forum Visitor Notice(s)

Wooden Line

GDPR (General Data Protection Regulation) - My company is ISMS certified

Monitor the Elsmar Forum
Courtesy Quick Links


Links Elsmar Cove visitors will find useful in the quest for knowledge and support:

Jennifer Kirley's
Conway Business Services


Howard's
International Quality Services


Marcelo Antunes'
SQR Consulting, and
Medical Devices Expert Forum


Bob Doering
Bob Doering's Blogs and,
Correct SPC - Precision Machining


Ajit Basrur
Claritas Consulting, LLC



International Standards Bodies - World Wide Standards Bodies

AIAG - Automotive Industry Action Group

ASQ - American Society for Quality

International Organization for Standardization - ISO Standards and Information

NIST's Engineering Statistics Handbook

IRCA - International Register of Certified Auditors

SAE - Society of Automotive Engineers

Quality Digest

IEST - Institute of Environmental Sciences and Technology


Some Related Topic Tags
gdpr (eu general data protection regulation), isms (information security management system)
Reply
 
Thread Tools Search this Thread Rate Thread Content Display Modes
  Post Number #1  
Old 28th February 2018, 09:38 AM
smohanarangan

 
 
Total Posts: 17
Question GDPR (General Data Protection Regulation) - My company is ISMS certified

My company is ISMS certified, do this means it is complying all required regulations?

Sponsored Links
  Post Number #2  
Old 28th February 2018, 06:28 PM
dsheaffe

 
 
Total Posts: 48
Re: GDPR (General Data Protection Regulation) - My company is ISMS certified

The short answer is no. While there will be some overlap between the two regimes from a policy perspective the GDPR has a number of areas that are not covered by 27001
Thanks to dsheaffe for your informative Post and/or Attachment!
  Post Number #3  
Old 5th March 2018, 09:45 AM
smohanarangan

 
 
Total Posts: 17
Re: GDPR (General Data Protection Regulation) - My company is ISMS certified

Thanks for the info, could you specify the areas of overlap?
  Post Number #4  
Old 6th March 2018, 04:53 AM
Ian_Morris

 
 
Total Posts: 32
Re: GDPR (General Data Protection Regulation) - My company is ISMS certified

From my perspective the overlap is in three areas:

GDPR requires privacy by design - ISO27001 would require PDCA / PDSA of your processes in relation to processing and managing information (the confidentiality and integrity parts in particular).

GDPR requires that you protect the information from release or destruction, either accidentally or intentionally - this is the same as for ISO27001.

ISO27001 requires that you identify and meet all legal and regulatory requirements - as GDPR is central to data processing, it is required that as an ISO27001 certified firm that you have determined what your obligations will be under the legislation and put in place appropriate controls to mitigate the risks identified.

ISO27001 requires that you have a process and policy for controlling records. Most organisations would not necessarily think of their HR records, financial records, health records, marketing information and promotional information, as being part of this process as they will focus on records relating to the delivery of the product or service. GDPR requires that you provide information to any person, including employees, what personal information you hold on them, what you will use it for and how long you will keep that information.

There are some very significant areas where simply having ISO27001 will not help including:

Are you a data controller or data processor (or both)?
Do you have to have a data protection officer?
Will you have to carry out a Privacy Impact Assessment (PIA)
What sort of personal data do you process?
Do you have appropriate registration with Information Commissioners Office (if you are in the UK)?
Have you mapped out all of the processes where personal data is processed?
What is the basis for holding and processing personal data, e.g. informed consent or legitimate / lawful purpose

Subject access requests - all individuals will have a right to be supplied with details of data that you hold on them, in any format, within a specific period of time (1 month). You are required to

Breach policy - You will need to have an effective policy and procedure in place to identify and manage breaches. There is a statutory responsibility to report any breaches to anyone affected by a breach within 72 hours of the breach occurring.

Location of information - this one may be specific to the EU, but if you are processing personal data for EU citizens there are rules about where and how you are allowed to store data that must be complied with.

Contracts - employment, client and supplier contracts will need to be reviewed and updated to reflect the new requirements.

Consent and right to be forgotten - You will need the ability to delete all records of an individual if they ask you to this and it is allowable / appropriate to do so (this element only refers to consent circumstances and not to lawful / legitimate processing)

Data portability - Can you port information to another organisation where the user asks you to do this (this one will relate more to utility and B2C companies where the data processing is the primary activity).

There are other areas that are relevant as well that will need to be addressed and I am not suggesting for a second that all elements will apply to all organisations, but it hopefully gives you a flavour of where the differences lie.

I would suggest doing some research to ensure that you are compliant, as the penalties are potentially onerous financially and some carry criminal sanctions as well as civil ones.

Happy hunting

Ian
Thank You to Ian_Morris for your informative Post and/or Attachment!
Reply

Lower Navigation Bar
Go Back   The Elsmar Cove Business Systems and Standards Discussion Forums > >

Bookmarks



Visitors Currently Viewing this Thread: 1 (0 Registered Visitors (Members) and 1 Unregistered Guest Visitors)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Forum Search
Display Modes Rate Thread Content
Rate Thread Content:

Forum Posting Settings
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Emoticons are On
[IMG] code is On
HTML code is Off


Similar Discussion Threads
Discussion Thread Title Thread Starter Forum Replies Last Post or Poll Vote
EU GDPR General Data Protection Regulation - What we need to update for our QMS Wolf.K EU Medical Device Regulations 10 8th June 2018 03:42 AM
Thoughts on the impact of the General Data Protection Regulation? kreid Medical Information Technology, Medical Software and Health Informatics 5 21st May 2018 07:16 AM
GDPR - General Data Protection Regulation (EU and UK 2018) Trebor123 Other ISO and International Standards and European Regulations 7 20th March 2018 11:15 AM
Data Protection Act that publishes information within the general factory area M Greenaway Records and Data - Quality, Legal and Other Evidence 3 26th April 2007 09:02 AM



The time now is 11:59 AM. All times are GMT -4.
Your time zone can be changed in your UserCP --> Options.



Misc. Internal Links


NOTE: This forum uses "Cookies"