Does ISO 27001 Certification Give You Immunity From GDPR Fines?
I was actually chuckling to myself as I wrote that title because I know you were thinking [the equivalent of] one of the following as you clicked on the link:
- If you have not read the GDPR: “That would be awesome!”
- If you have read the GDPR: “Don’t be so bloody stupid.”
No, of course ISO 27001 certification won’t give you immunity from GDPR fines, even those related to data security breaches, which is the only thing 27001 actually covers. Data security (as opposed to data processing) is a single Article out of 99, and the fines related to data loss aren’t even the big ones (2%, not 4%).
That said, I believe there is a much greater chance of you being fined for lack of security than for any illegalities in your personal data processing.
It’s a matter of exposure.
If you accept, as I have argued incessantly, that fines will only be levied against those who are egregiously out of compliance, which of these two scenarios is the most likely?:
- Your data processing is so out of line that a bunch of people complain to a supervisory authority that their rights and freedoms have been infringed; or
- Your data security controls could not stop the most trivial of malware outbreaks, employee errors, or cyber attacks
So, assuming you’ve made at least some effort to:
- ‘legalise’ your personal data processing (with consent, contractual obligation, legitimate interest etc.);
- meet GDPR’s other basic principles (transparency, data minimization, purpose limitation etc.); and
- do business with integrity
…what are the chances that a supervisory authority will come at you with a view to fine you ‘20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover‘?
Slim to none.
However, should you lose data and, per Article 33, cannot guarantee that the loss is “unlikely to result in a risk to the rights and freedoms of natural persons“, you must [where feasible] inform the supervisory authority with 72 hours. They are going to investigate and…
…what are the chances that your security is in disarray? What are the chances that you have egregiously ignored the most basic security controls and could not demonstrate anywhere near appropriate “technical and organizational measures“? What are the chances they find your whole security program is egregiously unfit for purpose?
In my experience this is not just possible, it is likely, as most organizations I work with don’t even start out with adequate policies, let alone an appropriate risk management program.
This is where ISO 27001 can help. In their “Guide to the General Data Protection Regulation (GDPR),” the UK’s ICO points to the National Cyber Security Centre’s (NCSC) ‘Cyber Essentials Scheme‘, which is to security what first aid is to brain surgery in terms of its capability. Therefore, if the ICO consider the achievement of Cyber Essential certification is all the ICO need to minimize the egregiousness of your breach (which I am assuming is the case), imagine what ISO 27001 certification would do.
To be clear, if all you do is Cyber Essentials there is no way you’ll ever be doing enough to really defend yourself in a breach scenario, let alone your business. Even the NCSC themselves use phrases like “basic technical protection” and “mitigating the most common Internet-based threats to cybersecurity“, so all they are saying in effect is that it’s better than doing nothing. Which is, kinda like the PCI DSS, but equally flawed.
I am not, I repeat NOT suggesting that full ISO 27001 certification is right for every organization, nor am I suggesting that it’s the only ‘standard’ that can provide an appropriate framework for your security program. What I AM saying is that it’s by far the best known in the EU, and alignment with it is easier to achieve and demonstrate given the number of expert consultants available to help you.
And 27001, by its very nature, has two advantages over ‘controls-based’ standards:
- It is more concerned with continuous improvement than it is on current state; and because of that
- You can use the ISMS ‘framework’ as a template to help operationalize another process not concerned with data security (DPIAs for example)
In other words, what you do for security under 27001’s ‘management system’ can be done for other business processes like HR, Legal, even Sales. There is a true ROI to be had if it’s done properly.
But use whatever framework works best for you, just get started, because unless you are guilty of:
- making nuisance calls;
- exposing sensitive personal data via email;
- illegally collecting personal data; or
- failing to respond to DSARs
…you are more likely to be fined for losing personal data than processing it.
Organizations often focus entirely on getting to the legal basis for processing, getting data processing agreements in place, and/or minimizing the amount of data they collect and store. Far too few are running a project to fix their security program in parallel with them.
Don’t make that mistake.