Keywords

1 Introduction

The ubiquitous presence of information technology in people’s daily routine poses challenges regarding the protection of the information they share. Social media, fora, instant messaging, mobile applications and e-commerce activities are some of the most popular technologies that heavily rely on personal data being collected and exchanged, for the provision of the respective services. One of the most valuable types of data managed by companies is personal information, i.e. information that can be linked to persons. Personal data that people share online, exchanged on a broad scale, constitute one of the driving forces of modern enterprises [20]. Online activities of individuals produce data that are of value for enterprises which base their business models on such data to provide personalised services, exploiting targeting marketing. For this reason, the protection of personal data has seen a major upheaval during the last decades, concentrating the attention of politicians, developers, public and private organisations, legislators, authorities, as well as the general public. Personal data protection legislation has attempted to pose restrictions to the uncontrollable use of such data, by governments, enterprises, etc. However, different national laws had substantially different characteristics [18], allowing organisations to take advantage of such blurred territories of legislation and proceed with the exploitation and processing of such data. Before May 2018, European Union (EU) Member States applied national privacy laws, following the EU Directive 95/46 [1] each Member State of the EU had its national privacy law that the organisations had to comply with. With the General Data Protection Regulation (hereafter, GDPR or Regulation) [2], EU adopted a unified privacy law, aiming to protect and regulate the massive usage of personal data. The GDPR aims at the regulation and the management of personal data, defining strict fines to the data controllers that do not comply.

Compliance with the GDPR comprises a challenging project for organisations for a series of reasons; the complexity of business activities and the duplication of data (in different information flows or even entire departments within an organisation) are the most important ones. In addition, even if organisations need to comply with the GDPR, they lack guidelines that could help them into complying with these requirements. There are already products being developed that can facilitate the compliance with the GDPR, however, none of the current technical solutions is able to capture the current personal data protection status of an organisation, identify the gaps, assess the criticality of the processing activities and the personal data they use, provide concrete solutions tailored to each organisation to finally fortify its processes and guarantee the protection of individuals’ personal data [12].

We argue that the ISO 27k standard series can form a useful baseline for businesses to build their “towards-compliance” strategy upon, dealing with topics such as risk definition and assessment, continuous evaluation and appropriate documentation. ISO/IEC 27001:2013 [16] (hereafter, ISO 27001) and GDPR aim both to strengthen data security and mitigate the risk of data breaches, and they both require organisations to ensure the confidentiality, integrity and availability of data. Recital 83 of the GDPR states In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. The information-risk-driven approach, which is also described in the GDPR, consists a fundamental perspective for ISO 27001. ISO 27001 provides detailed best practices while Article 24 of the GDPR specifies that adherence to codes of conduct and approved certifications can be used as an element for demonstrating compliance. There are several similarities as they both aim to cultivate a culture of protecting processes/assets/data and shaping the organisation’s philosophy in this direction. Therefore, we argue that for organisations that base their information security frameworks on ISO 27001, compliance with the GDPR requires limited (or at least less than the one required if no such certification exists) effort, as many processes and controls should already be in place, as should be the organisation’s attitude towards protecting (processes/assets/data). Towards this direction, the authors in [7] have identified synergies by analysing the ISO 27001 standard and the GDPR by extracting the main concepts from both texts, and have proposed best practices for compliance. The aim of this paper is to further extend the previous work, by focusing on the security controls level, rather than on security management practices that the ISO/IEC 27002:2013 [15] (hereafter, ISO 27002) provides and in order to meet GDPR requirements, by focusing on data protection actions.

The rest of the paper is structured as follows. Section 2 presents an overview regarding the acceptance of the GDPR by organisations one year after its application. Section 3 provides insights of the ISO 27001 certification and the ISO27k standards, explaining potential benefits for organisations adopting a certification schema. Section 4 analyses the ISMS framework of ISO 27001 and identifies synergies with the GDPR compliance efforts. Insights of the corresponding controls described in detail in ISO 27002 of each module of the ISMS are provided, in order for the reader to realise the effort they have to put to reach GDPR compliance. Section 5 focuses on the enhancement of the ISMS framework with personal data protection risk management. Finally, Sect. 6 concludes the paper by providing overall conclusions and issues for further research.

2 Background Information: Challenges in Personal Data Protection in the GDPR Era

Through the GDPR, EU regulators aim to enforce significant changes on the way that organisations process data subjects’ personal information. Even though these changes are expected to bring significant advantages for the data subjects, it is a reality that it has become a significant challenge for organisations to make the considerable shifts on their information technology, culture, business processes, and generally the way they function. Some of these challenges have been documented by organisations, academic papers or by European Commission reports, highlighting the particular aspects of the GDPR that appear troublesome.

Since May 2016 GDPR entered into force, reports were released revealing that organisations are not ready and compliance will be a challenging issue. Gartner in 2017 [11] argues that organisations are unprepared and highlights the responsibility of organisations outside the EU. Similarly, the report by Ernst & Young in 2018 [9], states that only 33% of responding organisations had a plan to address GDPR compliance at the time the survey (between October and November 2017) was conducted and 39% of respondents indicated that they are not at all familiar with the GDPR. This picture does not seem to change much after the GDPR came into force. A recent Thomson Reuters article [21] highlights that evidence show that organisations are still not fully aware of the GDPR’s potential impact and are not ready for the GDPR compliance issues. In a survey [13] among privacy professionals which was published in 2019 by the International Association of Privacy Professionals (IAPP), it appears that less than half of respondents said they are fully compliant with the GDPR. Interestingly, nearly 20% of the privacy professionals who participated argues that full GDPR compliance is truly impossible.

Among the reported challenges [6], it seems that organisations are battling on the way to satisfy the data subjects’ right to erasure (“right to be forgotten”) (GDPR, Article 17). This was cited by 53% of the survey respondents as the biggest challenge on achieving compliance with the GDPR. Data protection-by-design and -by-default (GDPR, Article 25) follows with 42% and “records of processing activities” (GDPR, Article 30) with 39%. IAPP [14] has published a Data Protection Officer’s (DPO) experience on the GDPR a year after it entered into force also highlights that managing and addressing data subjects’ requests was the biggest challenge.

3 ISO27001 Certification and the ISO27k Standards

ISO 27001, entitled “Information technology - Security techniques - Information security management systems - Requirements” aims at the provision of recommendations on good practices for information security management, risk management and taking security measures, within the context of an Information Security Management System (ISMS). It belongs to the ISO27k family standards that provide details (e.g., ISO/IEC 27005 about the information security risk management and ISO/IEC 27018 for the protection of personally identifiable information in public clouds), while other ISO and non-ISO standards and resources provide much more information and, in some cases, propose alternative or complementary approaches and controls. Specifically, ISO 27001 specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS within the context of the organisation’s overall business risks. The objective of the standard is to thoroughly describe an ISMS, to provide definitions on the fundamental terms of information security, and on terms that are referenced in the family of ISO27k. This standard is addressed to all types of organisations and businesses of any business sector, size, and activity.

ISO 27002, entitled “Information technology - Security techniques - Code of practice for information security controls” provides a list of controls and good practices that can be used as guides when selecting and implementing measures to achieve information security. Annex A’ of ISO 27001 is totally in line with ISO 27002. They present the security modules, control objectives and controls that an ISMS shall cover at minimum. The structure of security controls includes 14 modules that expand in 35 security objectives and 114 security controls to achieve the objectives. However, the difference between those two standards is the level of detail they present the controls, as ISO 27001 dictates a short description of each control, while ISO 27002 explains each control in detail, providing good practices for their successful implementation.

The application of ISO 27001 supports organisations in creating better business efficiency, safeguards valuable assets such as personal data or hardware, protects staff and organisations’ reputation, and simultaneously facilitates the attainment of compliance objectives. Organisations have always sought some short of certification for one or more of their business activities. Regarding information security, 39,501 ISO 27001 certificates were issued to organisations, worldwide, in 2017Footnote 1. Given its wide recognition and acceptance, and in the absence of a GDPR compliance certification, ISO 27001 makes a good candidate to be considered as the baseline upon which organisations can work on in order to reach GDPR compliance. Furthermore, there is a lot of common ground between ISO 27001 and GDPR, which additionally strengthens the previous statement.

4 From Information Security Controls to Personal Data Protection Controls

Juxtaposing ISO 27001 and the GDPR we have identified that they are based on common ground. Despite the fact that they have different perspectives, both ISO 27001 and the GDPR focus on the minimisation of risk that can be realised when a data breach occurs. ISO 27001 focuses on reducing risks to information security by compelling organisations to produce ISMS that are continuously maintained and improved. GDPR aims at the preservation of privacy of individuals, providing them with rights against organisations that process their personal data. GDPR also promotes accountability, by placing clear data protection responsibilities to the corresponding organisations processing such data. The aforementioned accountability lies on the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk (GDPR, Article 32).

Both GDPR and ISO 27001 request that organisations focus on the empowerment of knowledge which is communicated to the leadership, and develop awareness within the whole organisation regarding the protection of data, exploiting security measures [12]. The GDPR provisions numerous personal data protection settings and controls, many of which are also recommended in ISO/IEC 27001:2013, ISO/IEC 27002:2013, and other “ISO27k” standards. Organisations that currently have an ISMS are likely to satisfy many of the GDPR requirements already, needing a few adjustments to be made. In this section we analyse the ISMS framework of ISO 27001 and identify synergies with the GDPR compliance efforts. In the following subsections the fourteen control modules of Annex A’ of ISO 27001 are presented, focusing on the level of the proposed controls that can be implemented. At this level, we extend the information security controls to personal data protection controls, analysing and describing the necessary additional actions that an organisation is required to implement, in relation to the aforementioned controls, towards GPDR compliance. Finally, we provide suggestions to the organisations that are already certified according to the ISO 27001, on the following actions they have to conduct to also comply with the requirements of the GDPR. Each paragraph describes the obligations that ISO 27001 and 27002 impose to organisations, and compared to them, we propose the additional actions that an organisation has to conduct towards GDPR compliance.

4.1 Enhancing Information Security Policies with Data Protection Policies

The first control module of ISO 27001 and ISO 27002 includes one control related with the management direction for information security. The objective is the provision of management direction and support for information security in accordance with business requirements, and relevant laws and regulations. For the realisation of this module, two controls have been identified; the first refers to policies for information security, while the second imposes review of the aforementioned polices.

Actions Towards GDPR Compliance: The organisation shall be based on the information security policy that has already developed in order to establish a Data Protection Policy. The Data Protection Policy describes the set of rules that define how the organisation protects personal data, so that it complies with the GDPR and protects the privacy of the data subjects. The purpose of the Data Protection Policy is to provide strategic guidance to the organisation’s management and staff for the protection of personal data when processing them. The Data Protection Policy applies to all operational processes that involve the processing of personal data. Moreover, it applies to all employees and associates of the organisation who are directly or indirectly involved in the processing of personal data. This policy should be distinct from the information security policy [17] and should provide information on new processes that regulate organisational aspects pertaining to the way the organisation:

  • Manages consent

  • Fulfils data subjects’ rights

  • Makes transfers of personal data to third countries

  • Manages collaborating third parties - data processors

  • Manages transfer or disclosure of personal data

  • Responds to incidents that may lead to a personal data breach

  • Monitors measures personal data processing activities and supporting assets, to continuously ensure compliance with the regulation

  • Manages personnel awareness and training of specialised personnel (in order to ensure that they have the knowledge and skills to apply the data protection policy)

  • Implements data protection-by-design and -by-default principles regarding information systems the organisation develops in-house or through procurement

Regarding the second control of this module, similarly to the information security policy, the Data Protection Policy is not static but should be kept as up to date as possible and adjusted in line with the changes of information systems and the technical and social environment. The Data Protection Policy should be updated periodically and this process should be documented. In addition, it should also be updated in the event of major changes to the organisation or its IT systems. The senior management of the organisation assigns the responsibility for reviewing the Data Protection Policy to the Data Protection Officer.

4.2 Extending Organisation of Information Security with Personal Data Protection Structures and Roles

This control module includes two categories, (i) the internal organisation, and (ii) the mobile devices and teleworking. This control module aims at the establishment of a framework for the administration on the implementation and operation of security within the organisation, and the protection of security related with the information accessed, processed and/or stored at teleworking sites, and the use of portable devices.

The category Internal Organisation consists of six controls. The first refers to information security roles and responsibilities, mentioning that all information security responsibilities shall be defined and allocated. The second refers to segregation of duties, where conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorised or unintentional modification or misuse of the organisation’s assets. The third refers to contact with authorities, where appropriate contacts with relevant authorities should be maintained. The fourth refers to contact with special interest groups, where appropriate contacts with special interest groups or other specialist security forums and professional associations should be maintained. Finally, the fifth control refers to information security in project management, where information security should be addressed in project management, regardless of the type of the project.

Actions Towards GDPR Compliance: The organisation is responsible for implementing an organisational framework according to which there are roles with responsibilities for the protection of personal data. The framework should include the role of the Data Protection Officer; in cases required. The role of the Data Protection Officer should be designated by the senior management, assigning this responsibility to a competent person reporting directly to the senior management without receiving any instructions on how to perform his/her tasks. Senior management needs to ensure that the Data Protection Officer is not dismissed or penalised for performing his/her tasks. The organisational structure of the organisation reflects the distinct role of the Data Protection Officer. A Data Protection Officer should be appointed, if (i) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity, (ii) the data controller’s main activities require regular and systematic monitoring of the data subjects on a large scale, and (iii) the data controller’s main activities are large scale processing of specific categories of personal data (GDPR, Article 37). The organisation should appoint necessary responsibilities to the Data Protection Officer, as described in GDPR (Article 39).

Regarding contact with authorities, the data controllers need to cooperate with the supervisory authorities when a data breach occurs (GDPR, Article 33), informing them without undue delay, when the personal data breach affects the rights and freedoms of the corresponding natural persons. When the data controller realises that the data breach may pose a high risk to their rights and freedoms, they should also inform the data subjects for the violation of their data (GDPR, Article 34), choosing the most appropriate means for communication (e.g., email, newsletter, press release, etc.) according the number of the affected natural persons and the severity of the data breach.

Regarding contact with special interest groups, in order for a data controller to be able to guarantee the protection of the personal data they process, they need to conduct a Data Protection Impact Assessment (DPIA) when particular types of processing is likely to result in a high risk to the rights and freedoms of natural persons (GDPR, Article 35). The data controller carries out DPIA in case of (i) systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, (ii) processing on a large scale of special categories of data, (iii) systematic monitoring of a publicly accessible area on a large scale.

Finally, regarding information security in project management, organisations should establish a code of conduct (GDPR, Article 40). Codes of conduct can contribute to the proper application of the GDPR, taking account of the specific features of the various processing sectors and the specific needs of micro, small and medium-sized enterprises. They are related to associations and other bodies that represent data controllers or data processors. To this direction, data controllers and data processors are encouraged by the GDPR to be certified with a certification mechanism (GDPR, Article 42). Such mechanisms may be established for the purpose of demonstrating the existence of appropriate safeguards provided by controllers or processors. They enable the mandatory monitoring of compliance either by the supervisory authority, or by an accredited organisation (demonstrating independence and expertise). Codes of conduct can be drawn up by organisations that represent data controllers or data processors and approved either by the supervisory authority of a member state or by the European Data Protection Board.

4.3 Expanding Controls on Human Resources Security to Protect Personal Data Handled by Employees

The human resources security module consists of three sub categories, (i) information security prior to employment; (ii) during employment, and (iii) termination and change of employment. Information security prior to employment contains two controls, i.e. screening and terms and conditions, during employment the controls refer to the management responsibilities, information security awareness, education and training and disciplinary process, while in the termination and change of employment the organisation should take care of the information security responsibilities that remain valid after termination or change of employment.

Actions Towards GDPR Compliance: Further actions should be taken regarding the protection of personal data that an organisation processes by its employees. The organisation should take appropriate measures and controls related with the management of their employees, so that they protect the personal information (of the personal data of natural persons that the organisation keeps, e.g., personal data of customers, suppliers) that they process within the scope of their occupation. Specifically, before the employment of their employees, an organisation should take appropriate measures to ensure that the employees are fit to handle personal data, e.g., by a screening process and by informing them about possible legal consequences during the exercising of the work activities (regarding personal data misuse, etc.). During employment, the organisation should review the already existing contracts of their employees who have access to personal data, and make sure that they include specific clauses for confidentiality, with legal bindings. Finally, after the employment, the organisation should remove access rights to personal data the corresponding employees had access to.

4.4 Enhancing Asset Management with Personal Data Management

Asset management’s module contains three controls: (i) responsibility for assets; (ii) information classification; and (iii) media handling. The objective for the first control is the identification of the organisational assets, and the definition of appropriate protection responsibilities. Regarding the information classification, the organisation needs to ensure that information receives appropriate level of protection in accordance with its importance. Regarding the media handling control, the organisation is responsible for preventing unauthorised disclosure, modification, removal or destruction of information stored on media. This control includes securely disposing of media on which information is stored when it is no longer required.

Actions Towards GDPR Compliance: The aim of this clause is to develop and maintain appropriate safeguards for the protection of organisational assets. Towards this direction, GDPR requires that data controllers and processors alike maintain records of their processing activities regarding personal data and special categories of personal data (GDPR, Articles 5, 7, 9, 30). Taking into account that personal data and special categories of personal data also consist a valuable asset, the organisation, acting as a data controller, needs to keep records of the categories of data subjects; the categories of the collected data; the types of processing activities that have occurred or are likely to take place; the legal grounds related with the processing (this point is also related with the consent that the organisation should obtain by the data subject); potential recipients of data disclosures; potential transfer of data to non-EU countries, accompanied with information regarding the appropriate safeguards these countries have, ensuring an adequate level of protection; retention period of the data; and security measures the organisation applies. When an organisation acts as a data processor the records of the processing activities contain contact details of the data processor or processors and of each data controller on behalf of which the data processor is acting, and where applicable, the contact details of the Data Protection Officer; the categories of processing activities; potential transfer of data to non-EU countries and information regarding technical and organisational security safeguards the organisation applies. The organisation shall keep documented records of processing activities.

Additionally, organisations should develop appropriate procedures that allow provision of information to the data subject related to the aforementioned personal data they keep (GDPR, Articles 13, 14).

4.5 Implementing Data Protection-by-Design and -by-Default in Access Control

Access control module contains four controls: (i) business requirements of access control; (ii) user access management; (iii) user responsibilities; and (iv) system and application access control. All these controls are related with specific guidelines about the management of access of the users to information, with the prevention of unauthorised access to systems and services and with the accountability for safeguarding organisation’s authentication information. According to user access management control, organisations should have systems for the (de)registration of the users, enabling thus access right assignments; they also should have processes for users’ authentication and revoking access; and finally, organisations should be careful regarding access rights when a collaboration is terminated. According to system and application access control, organisations should apply secure log-on procedures for the authentication of users to information and application systems.

Actions Towards GDPR Compliance: Taking the above actions as a basis, the organisation should implement a process through which the data subjects can either correct, or request correction (GDPR, Article 16) of the personal data the organisation holds for them or erase, or request the erasure (GDPR, Article 17) of such data. Automated access, rectification, and erasure should be established by the security team. Additionally, with respect to Recital 63Footnote 2, the organisation should be able to generate records of the data subjects’ requests and the timeliness of the organisation’s response. This functionality can also facilitate the measurement of the performance of the organisation to a data subject’s request, ensuring that the appropriate information is provided to data subjects upon request in a secure way.

Additionally, the organisation should develop their systems with respect to data protection-by-design and -by-default principles (GDPR, Article 25) in order to protect users’ privacy. This means that when designing the access control safeguards the organisation should not take into account only the security requirements (e.g., identification, accountability), but also take into account privacy requirements and principles (e.g., data minimisation).

4.6 Employing Cryptography

The control module Cryptography contains one control, i.e. cryptographic controls, which aims at ensuring proper and effective use of the technological measure of cryptography in order to protect the confidentiality, authenticity and/or integrity of information.

Actions Towards GDPR Compliance: Encryption and pseudonymisation are the two technical measures that the GDPR proposes (GDPR, Article 32). Based on [8], using encryption, privacy is preserved by keeping personal data confidential, and thus, unauthorised users are not allowed to have access to it. Moreover, for the satisfaction of the data subjects’ right to data portability (GDPR, Article 20), the organisation is encouraged to apply encryption to securely communicate the corresponding personal data to other organisations. Based on the criticality of the data and on the risk for an organisation, encryption can be applied to protect equipment, databases, partitions or containers, standalone files, emails, communication channels [5].

We should note that when anonymisation, which differs from pseudonymisation [19] as it enables the data subject to remain unidentifiable, is applied to a data set, this data set is exempted from GDPR obligations (GDPR, Recital 26). Therefore, anonymisation is a method that can minimise the risk for an organisation when a requirement to store a data subject’s identity no longer exists (e.g., keeping data for statistical results). According to [5], an organisation should determine what has to be anonymised, based on the nature of the data and the risk create for the organisation. Next, organisations can either permanently anonymise the data, or can choose tools (e.g., partial deletion, encryption, hashing, index, etc.) that are closer to their requirements.

4.7 Enhancing Communications Security with Personal Data Protection Objectives

This control module contains two controls: network security management and information transfer. The objective is to ensure the protection of information in networks and its supporting information processing facilities and to maintain the security of information transferred within an organisation and with any external entity. Information transferred to an external party, i.e. a customer, a supplier, a partner, etc., should be secured appropriately, subject to agreements addressing security and consistent with formal policies, procedures and appropriate controls.

Actions Towards GDPR Compliance: Taking the above controls as a basis, an organisation can further focus on the design and development of the communication security, protecting thus personal data of any party in its network requesting access to personal data (GDPR, Article 26). This can be extended to the international transfers, where the organisation, before transferring the requested personal data, should have received appropriate safeguards ensuring an adequate level of protection of the corresponding country, the territory, or one or more specified sectors within that third country.

Additionally, appropriate roles should be given to the corresponding employees who have access to personal data, accompanied with specific responsibilities. This functionality promotes accountability and transparency, while it consists a basis for the accurate response of the organisation, either to any request received by a data subject regarding the processing of their data (GDPR, Articles 13–22), or to the supervisory authority, when a data breach occurs (GDPR, Articles 31, 33). In this way, the organisation is able to locate and retrieve securely the personal data it keeps.

4.8 Acquiring, Developing and Maintaining Systems Following Data Protection Principles

The control module of system acquisition, development and maintenance consists of three controls, (i) security requirements of IS, (ii) security in development and support process, and (iii) test data. This module refers to the development process of IS that an organisation has to follow. It is worth noting that this is the only control module in ISO 27001 and 27002 that covers requirements regarding software development. Organisations should be able to choose their working environment (framework, language, operating system, to name a few parameters) in relation to the criticality of the product they wish to develop.

Actions Towards GDPR Compliance: The requirements of these controls guide the organisation to design and develop their IS following security-by-design principles. With respect to Article 25 of the GDPR, the organisations should also apply data protection-by-design principles [4]. The protection of personal data and users’ privacy can be improved and enhanced by designing information systems in a way that reduces the degree of invasion in privacy. One of the measures that the Regulation proposes is data minimisation. In this way, organisations minimise the data they collect to the minimum level demanded for their processing activities. In this area belong a series of methodological frameworks and tools that help analysts, designers and developers to develop ISs that privacy will be a built-in and not an add-on feature. To this end, privacy, in order to be included as a concept in the software development cycle, should be transformed into a technical requirement.

In addition, the organisation should estimate/assess the profit in relation to the cost (cost-benefit analysis) of managing a new system related to the lawful processing of data (GDPR, Article 6). This should also be covered in the risk assessment and management, in general, and taken under consideration when designing or upgrading systems and processes. This assessment may indicate, for example, that some personal data processing residual risk may be accepted, or this risk should be further mitigated by applying one or more security controls.

Also, the organisation should be able to identify and assess the special categories of personal data they process. Information risks could be avoided, where feasible, by assessing the usefulness of the personal and special categories of personal data they keep. Towards risk minimisation, the aggregation of such data is also accepted (GDPR, Articles 9, 11).

In addition, in order to satisfy the right of data subjects to know the outcome of requests related with the correction, completion, erasure, restriction of their personal data (GDPR, Article 19), the organisation should inform the requestor on the above, also providing that this process/application form is easy for insiders and outsiders of the organisation to follow.

4.9 Managing Supplier Relationships While Protecting Personal Data

The module Supplier Relationships aims to manage the relationship of the organisation with its suppliers, or any other third party that has access to the organisation’s assets, and to set up and agree a level of information security and service delivery. It consists of two controls, (i) information security in supplier relationships, and (ii) supplier service delivery management.

Actions Towards GDPR Compliance: This control module sets the basis for the establishment of a security framework among an organisation and the external parties it collaborates with, ensuring the protection of the transferred information. GDPR sets specific requirements regarding the management of the relationship of the data controller with its processors. If an organisation uses one or more third parties to process personal information (“processors”), it must ensure they too are compliant with the GDPR (GDPR, Articles 27, 28). Towards this direction, data controllers should conduct continuous evaluation of their processors and suppliers, and use approved certification mechanisms in order to demonstrate that they ensure an adequate level of protection with respect to data protection-by-design and -by-default principles.

Moreover, organisations need to ensure the privacy and other information security aspects of their business partners. This might contain aspects such as jointly investigating and resolving privacy incidents, breaches or access requests, to name a few. These requirements are applied to any relationship the organisation has with external parties, such as ISPs and CSPs, and any other third party that the organisation has exchanged (personal) data with, for example external payroll or marketing companies.

Finally, when data is transferred outside EU, involved organisations should ensure the level of protection of the involved natural persons. Consequently, organisations located outside Europe that interact with European organisations must formally nominate privacy representatives inside Europe if they meet certain conditions (GDPR, Article 27).

4.10 Including Data Breach Notification in Incident Management

The control module Information Security Incident Management consists of one category which is realised through seven controls. The objective of this category is to ensure a consistent and effective approach to the management of information incidents.

Actions Towards GDPR Compliance: The organisation that has already established incident management procedures has allocated responsibilities to each employee, and has developed a policy that has been communicated to all involved parties (employees, external parties) presenting the actions that have to be taken in a potential security incident. For the satisfaction of the Article 33 of the GDPR, the organisation should implement process in order to be able to notify the supervisory authority. Specifically, when a potential data breach occurs, and provided there is a risk for natural persons, the organisation, when acting as a data controller, must inform the competent supervisory authority without delay and, if possible, no later than 72 hours from the time it occurred, and the data subjects (GDPR, Article 35), if it is required. The organisation, when acting as a data processor, should promptly notify the data controller for the violations. This notice must be “immediate” to help the data controller comply with the time commitments. If the organisation acts as a data processor and offers services to more than one data controllers, it must report the incident and details about it, to each of them. As the requirement for timely notification to the supervisory authority is too demanding, the organisation should implement procedures for timely notification (i.e. what types of data the organisation should provide (GDPR, Article 33, paragraph 3)) and for communication to data subjects, when necessary.

4.11 Enhancing Compliance to Satisfy Lawfulness of Processing

The module compliance consists of two categories, (i) compliance with legal and contractual requirements, and (ii) information security reviews. This module aims at the avoidance of any kind of breaches related to information security and of any security requirements and to ensure that the information security is implemented and operated in accordance with the organisational policies and procedures.

Actions Towards GDPR Compliance: In order to comply with the GDPR, organisations should follow these six privacy principles (GDPR, Article 5):

  1. 1.

    Lawfulness, fairness, and transparency: Regarding lawfulness, the processing shall fulfil the described tests in the GDPR. Fairness means that the processed data must much the description. Transparency is achieved by informing the data subject what data processing is to be done.

  2. 2.

    Purpose limitations: Personal data can be acquired only for specified, explicit and legitimate purposes. This data may only be used for a specific purpose of processing of which the subject is made aware and no other, without acquiring further consent.

  3. 3.

    Minimisation of data: Collected data on a data subject shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. Only the minimum amount of data is to be kept for the purposes of specific processing.

  4. 4.

    Data accuracy: Data shall be accurate and where necessary kept up to date. Proper protection and measures against identity theft can be taken through baselining. Holders of data have to build processes for rectification into data management/archiving activities regarding the data subject.

  5. 5.

    Limitations of storage: It is expected by the data controller that personal data is kept in a form which permits identification of data subjects for no longer than necessary. The data that is no longer required, should be deleted.

  6. 6.

    Confidentiality and integrity of data: It is required from the data controllers or data processors that data be handled in a manner [ensuring] appropriate security of the personal data, including protection against unlawful processing or accidental loss, destruction, or damage.

The organisation must ensure that the above six principles are followed regarding the processing of personal data. However, in order for a processing to be lawful, the organisation should have ensured that at least one of the following applies:

  1. 1.

    The data subject has provided their consent regarding the processing of their personal data.

  2. 2.

    Performance of a contract to which the data subject takes part.

  3. 3.

    Processing is necessary for compliance with a legal obligation of the data controller.

  4. 4.

    Processing is necessary for the protection of vital interests of natural per-sons.

  5. 5.

    Processing is necessary for the performance of a task related with public interest

  6. 6.

    Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

In order to satisfy the above requirements, the organisation should follow a specific procedure for identifying the types of data processed (personal, special categories, convictions) and be able to prove that the way the data is processed complies with the applicable processing instructions for each type. Moreover, it should document the legal basis for the processing of the data. When consent is the legal basis for the transfer/storage of personal data, special attention should be given in order for consent to be provided by the data subject freely, is specific and clear, and the data subject has been already informed about the processing purposes.

4.12 Modules that Support GDPR Compliance

The following three modules are also part of the Annex A’ of the examined ISO, however they have no direct application to the GDPR, but they can help an organisation develop a culture that will assist towards reaching GDPR compliance. Moreover, these modules are included in our study for the sake of completeness.

Enhancing Physical and Environmental Security for GDPR Compliance: This control module concerns two controls: secure areas and equipment. The identification of secure areas can prevent unauthorised physical access, damage and interference to the organisation’s information and information processing facilities, while the safeguarding of the equipment of the organisation prevents loss, damage, theft or compromise of assets and interruption of organisation’s operation.

Actions Towards GDPR Compliance: This section applies to the general requirement of the GDPR to the organisations for implementing appropriate technical and organisational measures to ensure the level of security appropriate to the risk (GDPR, Articles 24, 25, 28, 32).

Enhancing Operations Security for GDPR Compliance: This control module contains seven controls: (i) operational procedures and responsibilities, (ii) protection from malware, (iii) back up, (iv) logging and monitoring, (v) control of operational software, (vi) technical vulnerability management, and (vii) information systems audit considerations. The objective of this section is to ensure correct and secure operations of information processing facilities, protection against malware and data loss, to record events and generate evidence, to ensure the integrity of operational systems, to prevent exploitation of technical vulnerabilities and to minimise the impact of audit activities on operational systems.

Actions Towards GDPR Compliance: Similarly to the previous section of “physical and environmental security”, an organisation is able to demonstrate that they have implemented they appropriate technical and organisational measures to safeguard the personal data they keep. Additionally, the organisation should implement procedures related with the management of the satisfaction of the data subjects’ rights (GDPR, Articles 12–22) and for the process of the provision of consent of the data subjects (GDPR, Articles 7).

Extending Business Continuity Management to Support GDPR Compliance: This control module contains two controls: (i) information security continuity, and (ii) redundancies. The objective is the establishment of a business continuity and disaster recovery plan. The continuity of operations is indented to restore the operation of the organisation’s systems within a reasonable time. In addition, staff training is required in the continuity plan, while its efficiency must be tested and managed properly.

Actions Towards GDPR Compliance: As a general direction for the satisfaction of the GDPR, an organisation should implement appropriate technical and organisational measures to ensure the level of security appropriate to risk (GDPR, Articles 24, 25, 28, 32).

5 Enhancing the ISMS Framework with Personal Data Protection Risks Management

As it has already been mentioned in the introduction, one of the fundamental perspectives of ISO 27001 is the information-risk-driven approach, which has not been described as a control per se, but it is part of the ISMS framework. Specifically, according to the clause 6 of ISO 27001, the countermeasures applied by an organisation are not only those described in Annex A’, but also those that are the outcome of the security risk assessment that is conducted to establish and maintain information security risk criteria, and to identify the information security risks. After risk assessment and the evaluation of the aforementioned outcomes, the organisation is able to select the appropriate information security risk treatment options, based on both the Annex and results of the risk assessment.

Accordingly, in order for an organisation to be compliant with the GDPR, they may need to conduct a data protection impact assessment (GDPR, Article 35) to extend the implemented countermeasures in a way that can demonstrate the appropriateness of the measures taken for each processing activity. Specifically, an organisation may be required to carry out an assessment of the impact of their processing activities in order to protect personal data during its processing, as well as to protect computer or other supporting resources that support processing. To this end, data protection impact assessment is a risk assessment related to the impact that business operations or technologies associated with the processing of personal data, may have. According to Article 35 of the GDPR, data protection impact assessment is conducted when particular types of processing is likely to result in a high risk to the rights and freedoms of natural persons. These types of processing are summarised in the following bullets:

  • When systematic and extensive evaluation of personal aspects relating to natural persons is based on automated processing (including profiling), is carried out.

  • When processing on a large scale of special categories of data is conduct-ed.

  • When systematic monitoring of a publicly accessible area on a large scale is conducted.

In order for an organisation to satisfy the requirement for data protection impact assessment, the core actions they have to follow are (i) to create a list of classified corporate information - including personal data, and (ii) to implement an appropriate methodology, and to establish policies and procedures for carrying out an impact assessment. In the literature there are quite a few risk analysis methodologies [3, 10, 23], however, Working Party 29 has released criteria for acceptable data protection impact assessment [22] that an organisation can follow, where they also suggest EU generic frameworks as well as sector-specific ones.

6 Conclusions

The new regulation for the protection of the personal data, GDPR, provisions numerous settings and controls focused on the management and the protection of such data. Many of these controls are also provisioned in ISO/IEC 27001:2013, ISO/IEC 27002:2013, and other “ISO27k” standards. Thus, organisations that currently have developed an ISMS are likely to satisfy many of the GDPR requirements already, needing a few adjustments to be made. Other organisations might decide to apply an ISMS as a general framework for the management of the personal data of data subjects that they process, in the context of: (i) the broader management of the information risks; (ii) the security of the data they process, either in hard copy or in a digital version, as well as the relevant compliance; (iii) the incident management; and (iv) addressing business continuity issues. This work describes the necessary additional actions that an organisation is required to implement since they have already an ISMS in place to reach compliance with the GDPR. Specifically, the fourteen control modules of Annex A’ of ISO 27001 are presented, focusing on the lower level of analysis presented in the ISO/IEC 27002 and providing extension of the corresponding controls, in order to meet GDPR requirements, by focusing on data protection actions. That means that if organisations already have an ISO 27001 framework in place, compliance with GDPR requirements will not be necessitated a duplication of the demanded effort. In addition, compliance to the GDPR is mandatory, whereas ISO 27001 certification is not. Organisations can start from ISO 27001 certification and reach GDPR compliance, or vice versa.

This work provides guidelines for practitioners of the domain of information security and protection of privacy, since it presents a roadmap on how to design a “towards GDPR compliance” project, contributing also to the awareness regarding the protection of personal data of an organisation.

Future work of this study includes the validation of the proposed guidelines to-wards GDPR compliance by a number of ISO 27001 certified organisations that have also reached GDPR compliance. The analysis of such feedback will further validate (or provide other perspectives to) the findings of this work. Moreover, data protection officers could also be involved in this process, providing their experiences regarding the demanded effort to reach GDPR compliance for an already ISO 27001 certified organisation.