GDPR (General Data Protection Regulation) - My company is ISMS certified

Elsmar Forum Sponsor

dsheaffe

Involved In Discussions
#2
The short answer is no. While there will be some overlap between the two regimes from a policy perspective the GDPR has a number of areas that are not covered by 27001
 

Ian_Morris

Involved In Discussions
#4
From my perspective the overlap is in three areas:

GDPR requires privacy by design - ISO27001 would require PDCA / PDSA of your processes in relation to processing and managing information (the confidentiality and integrity parts in particular).

GDPR requires that you protect the information from release or destruction, either accidentally or intentionally - this is the same as for ISO27001.

ISO27001 requires that you identify and meet all legal and regulatory requirements - as GDPR is central to data processing, it is required that as an ISO27001 certified firm that you have determined what your obligations will be under the legislation and put in place appropriate controls to mitigate the risks identified.

ISO27001 requires that you have a process and policy for controlling records. Most organisations would not necessarily think of their HR records, financial records, health records, marketing information and promotional information, as being part of this process as they will focus on records relating to the delivery of the product or service. GDPR requires that you provide information to any person, including employees, what personal information you hold on them, what you will use it for and how long you will keep that information.

There are some very significant areas where simply having ISO27001 will not help including:

Are you a data controller or data processor (or both)?
Do you have to have a data protection officer?
Will you have to carry out a Privacy Impact Assessment (PIA)
What sort of personal data do you process?
Do you have appropriate registration with Information Commissioners Office (if you are in the UK)?
Have you mapped out all of the processes where personal data is processed?
What is the basis for holding and processing personal data, e.g. informed consent or legitimate / lawful purpose

Subject access requests - all individuals will have a right to be supplied with details of data that you hold on them, in any format, within a specific period of time (1 month). You are required to

Breach policy - You will need to have an effective policy and procedure in place to identify and manage breaches. There is a statutory responsibility to report any breaches to anyone affected by a breach within 72 hours of the breach occurring.

Location of information - this one may be specific to the EU, but if you are processing personal data for EU citizens there are rules about where and how you are allowed to store data that must be complied with.

Contracts - employment, client and supplier contracts will need to be reviewed and updated to reflect the new requirements.

Consent and right to be forgotten - You will need the ability to delete all records of an individual if they ask you to this and it is allowable / appropriate to do so (this element only refers to consent circumstances and not to lawful / legitimate processing)

Data portability - Can you port information to another organisation where the user asks you to do this (this one will relate more to utility and B2C companies where the data processing is the primary activity).

There are other areas that are relevant as well that will need to be addressed and I am not suggesting for a second that all elements will apply to all organisations, but it hopefully gives you a flavour of where the differences lie.

I would suggest doing some research to ensure that you are compliant, as the penalties are potentially onerous financially and some carry criminal sanctions as well as civil ones.

Happy hunting

Ian
 
Thread starter Similar threads Forum Replies Date
MrTetris GDPR - General Data Protection Regulation - Only applicable to EU data? Other ISO and International Standards and European Regulations 6
L GDPR scope - "Personal data" definition - General Data Protection Regulation EU Medical Device Regulations 5
W EU GDPR General Data Protection Regulation - What we need to update for our QMS EU Medical Device Regulations 14
T GDPR - General Data Protection Regulation (EU and UK 2018) Other ISO and International Standards and European Regulations 7
Ed Panek GDPR in Urgent Healthcare Setting Other ISO and International Standards and European Regulations 1
M GDPR - Is anonymizing sufficient to address right to erasure? Medical Information Technology, Medical Software and Health Informatics 3
C How medical device manufacturers are implementing standards like GDPR and HIPAA Other ISO and International Standards and European Regulations 5
D HIPAA and GDPR applies? Medical therapy device ISO 13485:2016 - Medical Device Quality Management Systems 0
MrTetris GDPR - Purposes and duration of data collection Other ISO and International Standards and European Regulations 8
Marc Privacy Policy - EU GDPR Compliance - 1 December 2018 Elsmar Cove Forum ToS and Forum Policies 0
L Implementation of ISO 27001 as part of the GDPR compliance journey Other Medical Device Related Standards 2
K GDPR - Is it really necessary for the DPO(s) to be knowledgeable to Data Privacy Law? IEC 27001 - Information Security Management Systems (ISMS) 3
F DPA 2018 & GDPR 2016 EU Medical Device Regulations 1
M GDPR - Data portability and Data Deletion EU Medical Device Regulations 6
Q GDPR consulting service for Medical device Company EU Medical Device Regulations 0
Marc GDPR - EU Directive 2016/679 and the Elsmar Cove Discussion Forum Elsmar Cove Forum ToS and Forum Policies 3
T GDPR impact on ISO 9001 and Quality ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 4
Y What are different Special Inspection Level 1-4 and General spesification 1-3 ? AQL - Acceptable Quality Level 0
B General Motors and Honda Alliance - What does this mean to suppliers? IATF 16949 - Automotive Quality Systems Standard 3
F General Data Protection Regulation (GDRP) CE Marking (Conformité Européene) / CB Scheme 6
A Interpretation of GMP Requirements for class 1 medical device manufacturer (device GMP exempt, only General controls applicable) 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 4
D Importing a general wellness low risk product Other US Medical Device Regulations 3
M ISO 13485 for general purpose disinfectants? ISO 13485:2016 - Medical Device Quality Management Systems 9
M Do you need an Applicable general safety and performance requirements Checklist? EU Medical Device Regulations 2
DitchDigger UDI, Labeling Accessories, General Insanity, Etc. US Food and Drug Administration (FDA) 1
G Problem Resolution Report Monitoring - Customer complaint or PRR as general motors use Customer Complaints 12
P Is there a counterpart to the General Safety and Performance Regulations for the USA? Other US Medical Device Regulations 2
C CE marking for general IVD (self-certified) & ISO 13485 QMS requirements - auditing EU Medical Device Regulations 6
M Informational WHO – Report by the Director-General – Standardization of medical devices nomenclature Medical Device and FDA Regulations and Standards News 0
J General Motors SSE Launch Algorithm - SCMS's Service Industry Specific Topics 0
D Incoming (Receiving) Inspection - General form for incoming part inspection Document Control Systems, Procedures, Forms and Templates 17
M Informational 2019 Meeting Materials of the General and Plastic Surgery Devices Panel Medical Device and FDA Regulations and Standards News 0
M FDA Guidance - general wellness products - wearables Other Medical Device Related Standards 3
M Informational The USFDA Announces General and Plastic Surgery Devices Panel of the Medical Devices Advisory Committee Meeting on March 25-26, 2019 Medical Device and FDA Regulations and Standards News 0
M Oxygen enriched environment applicability - Operating table used in general surgeries in hospital IEC 60601 - Medical Electrical Equipment Safety Standards Series 0
Marc Definition GSPR - General Safety and Performance Requirements Definitions, Acronyms, Abbreviations and Interpretations Listed Alphabetically 0
M Annex I - General Safety and Performance Requirements. Precise identity - how provided EU Medical Device Regulations 6
E What is the general time line to prepare for IATF Letter of Conformance? IATF 16949 - Automotive Quality Systems Standard 1
S General Awareness Training for AS9100 Rev.D AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 6
B IVD or a general product test kit (if such a thing exists) EU Medical Device Regulations 0
S Business development and support - Getting business general liability insurance Career and Occupation Discussions 5
DietCokeofEvil What is the general consensus on Caliper tolerances? General Measurement Device and Calibration Topics 1
Y Change Control - General Processes ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 1
D General questions about Medical Device MOPs and MOPPs IEC 60601 - Medical Electrical Equipment Safety Standards Series 31
Albert G. What are general examples of audit findings with ISO 9001:2015? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 15
H ISO 9001:2015 Cl. 9.3.1 - General Director doesn't participate in Management Review ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 8
S AS9100D Transitional Audit General Question Checklist AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 5
S Dates on Labels acceptable to the USA - GS1 General Specification 3.4.4 Other US Medical Device Regulations 3
K Thoughts on the impact of the General Data Protection Regulation? Medical Information Technology, Medical Software and Health Informatics 5
Pmarszal Clarification for 21 CFR Part 11.100 - General Requirements Other US Medical Device Regulations 14

Similar threads

Top Bottom