The General Data Protection Regulation (GDPR), which goes into effect on May 25 across the European Union, means major changes in data privacy regulation. For businesses, the high cost of non-compliance with the GDPR is a fine of up to 4 percent of annual global turnoveror 20 Million. Three standards, available as the ISO/IEC 27001 / ISO/IEC 27018 / BS 10012 - General Data Protection Regulation Package, and adherence to their voluntary consensus guidelines can help to comply with the legislative requirements of the new regulation.
While the GDPR will apply to organizations located within the EU, it will also impact organizations located outside of the EU if they offer goods or services to, or monitor the behavior of EU data subjects. The regulation replaces the Data Protection Directive 95/46/EC, and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens' data privacy, and to reformulate the way organizations across the region approach data privacy.
The standards ISO/IEC 27001, ISO/IEC 27018, and BS 10012can help organizations adequately adhere to the GDPR. The standards provide all of the necessary guidance required to employ the European GDPR, as they include security techniques for management, personally identifiable information, and data protection.
The standard ISO/IEC 27001:2013, Information Technology-Security Techniques-Information security management systems-Requirements, specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.
ISO/IEC 27018:2014, Information technology-Security techniques-Code of practice for practice for protection of personally identifiable information (PII) in public clouds acting as PII processors, establishes commonly accepted control objectives, controls, and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.
BS 10012:2017, Data protection. Specification for a personal information management system, was written in recognition of the publication of the GDPR, and utilization of the standard will support organizations in their implementation of an appropriate "Information Governance" strategy.
Read more about how these standards can help meet compliance on the ANSI Blog: General Data Protection Regulation (GDPR) Package - ISO/IEC 27001 / ISO/IEC 27018 / BS 10012.