GDPR (General Data Protection Regulation) - My company is ISMS certified


Involved In Discussions
The short answer is no. While there will be some overlap between the two regimes from a policy perspective the GDPR has a number of areas that are not covered by 27001


Involved In Discussions
From my perspective the overlap is in three areas:

GDPR requires privacy by design - ISO27001 would require PDCA / PDSA of your processes in relation to processing and managing information (the confidentiality and integrity parts in particular).

GDPR requires that you protect the information from release or destruction, either accidentally or intentionally - this is the same as for ISO27001.

ISO27001 requires that you identify and meet all legal and regulatory requirements - as GDPR is central to data processing, it is required that as an ISO27001 certified firm that you have determined what your obligations will be under the legislation and put in place appropriate controls to mitigate the risks identified.

ISO27001 requires that you have a process and policy for controlling records. Most organisations would not necessarily think of their HR records, financial records, health records, marketing information and promotional information, as being part of this process as they will focus on records relating to the delivery of the product or service. GDPR requires that you provide information to any person, including employees, what personal information you hold on them, what you will use it for and how long you will keep that information.

There are some very significant areas where simply having ISO27001 will not help including:

Are you a data controller or data processor (or both)?
Do you have to have a data protection officer?
Will you have to carry out a Privacy Impact Assessment (PIA)
What sort of personal data do you process?
Do you have appropriate registration with Information Commissioners Office (if you are in the UK)?
Have you mapped out all of the processes where personal data is processed?
What is the basis for holding and processing personal data, e.g. informed consent or legitimate / lawful purpose

Subject access requests - all individuals will have a right to be supplied with details of data that you hold on them, in any format, within a specific period of time (1 month). You are required to

Breach policy - You will need to have an effective policy and procedure in place to identify and manage breaches. There is a statutory responsibility to report any breaches to anyone affected by a breach within 72 hours of the breach occurring.

Location of information - this one may be specific to the EU, but if you are processing personal data for EU citizens there are rules about where and how you are allowed to store data that must be complied with.

Contracts - employment, client and supplier contracts will need to be reviewed and updated to reflect the new requirements.

Consent and right to be forgotten - You will need the ability to delete all records of an individual if they ask you to this and it is allowable / appropriate to do so (this element only refers to consent circumstances and not to lawful / legitimate processing)

Data portability - Can you port information to another organisation where the user asks you to do this (this one will relate more to utility and B2C companies where the data processing is the primary activity).

There are other areas that are relevant as well that will need to be addressed and I am not suggesting for a second that all elements will apply to all organisations, but it hopefully gives you a flavour of where the differences lie.

I would suggest doing some research to ensure that you are compliant, as the penalties are potentially onerous financially and some carry criminal sanctions as well as civil ones.

Happy hunting