GDPR & Information Security: Where They Overlap & Where They Don’t

In 2018 the EU implemented the General Data Protection Regulation, better known as the GDPR. This regulation affected not only the EU but everyone in the world that does business with or handles European Union citizens’ data. Businesses of every size had to take action to protect their customers’ and employees’ data and avoid fines.

Within the IT field, protecting data was nothing new. Most companies are very familiar with handling (personal) data and know how to set up a system that identifies and prevents risks.
Despite this fact, many businesses have already received fines for GDPR infractions, including big multinationals such as British Airways, Google, and Vodafone. Turns out that being GDPR compliant isn’t as easy as they thought!

As you can see, even large corporations have made mistakes surrounding the regulations, despite having the resources to have a proper Information Security set-up. So why did these companies still face problems with the GDPR? Why does an Information Security Management System (ISMS) not cover the General Data Protection Regulation? This article will explain what an ISMS is, what the GDPR is, and how they do and do not overlap.

Information Security

Let’s start with the one that has been around the longest: Information Security. Information Security is a set of principles and best practices intended to keep data safe from being accessed by unauthorized people or systems. Simply put, it’s making sure that any data you store or transmit can’t be accessed by people who shouldn’t. Information Security is sometimes incorrectly referred to as cybersecurity, but they are not the same even though they are similar. Cybersecurity refers to the overall protection of your IT Assets, while Information Security refers explicitly to the data on these devices. Clearly, you can already see some overlap here, as anyone who can access your devices could probably also gather data while on them. But cybersecurity is only about these devices, and not about paper documents such as employee contracts or printed-out sales spreadsheets. Yes, that’s right, although Information Security is mainly associated with IT, physical data is just as much a part of a sound Information Security system.

Setting up a secure Information Security Management System is necessary for every business, big or small. After all, every company handles data in some form, whether it belongs to customers or employees. And, although there are many ways of setting up an ISMS, it helps to have a set of proven standards to follow. This is where the ISO standards come in, specifically ISO/IEC 27001. The ISO/IEC 27k set of standards were created by the International Organization for Standardization, better known as ISO, together with the International Electrotechnical Commission, the IEC. Together, they aimed to create a set of standards for an Information Security Management System that can be applied to any organization.

The most well-known standard in the family is ISO/IEC 27001, which outlines the requirements for a successful ISMS. The ISO/IEC 27001 standards outline an environment in which an organization continuously monitors its information security and aims to eliminate potential threats.

But is this standard enough to be GDPR-compliant? The answer, simply put, is no.

General Data Protection Regulation

It’s highly improbable that you haven’t heard of the General Data Protection Regulation. It has come up in the news regularly over the last few years. The legal entry of the regulation led to a significant change in the way companies handle data and led to months of hard work for those that had to make their business compliant. But what exactly is it?

The GDPR consists of 99 articles that, in combination, create one data protection law that protects the data of all citizens of the European Union, both within the EU and outside of it. That means that it’s not just a European law, as any business that deals with European citizens must follow the regulation.

The GDPR handles different aspects of privacy that go beyond just keeping the data out of other people’s hands. It specifies the amount of data that companies are allowed to collect and the amount that they are allowed to send to third parties. It also protects the rights of people to have their data removed. The regulation also specifies which process organizations are obliged to follow when a data leak occurs, such as notifying the supervisory authority within 72 hours and notifying the affected people.

Several clauses in the GDPR are not related to security, but to the rights of the people whose data is processed. And that is where GDPR differs from Information Security. Although you’re expected to keep the data that you collect safe, there is much more to being GDPR compliant then just a ‘good’ security system:

GDPR isn’t primarily a security issue, nor is it all about IT – it’s a business problem that relies on cross-departmental collaboration from all stakeholders to be successful. – Thomas Fischer global security advocate at Digital Guardian (GDPR Compliance: the Impact on Infosec in 2018 and Beyond).

To make your GDPR strategy work, you’ll need every department in your business to be aware of the regulations, at least at a basic level.

Correlation between GDPR & Information Security

Despite the differences between the GDPR and Information Security, there are parts where they overlap. Within the GDPR, you are expected to handle the personal data you collect with care and protect it from unauthorized access. This is the part where Information Security comes in. A good ISMS will ensure that any data you collect is safe and secure within the regulations.

However, this only takes care of the data once it is collected. It does not cover the actual collecting of the data and the rights people have regarding any data you have collected. In this respect, the GDPR expands on Information Security, which is why just having an ISMS is not enough.

To be GDPR compliant, you need to understand the entire process from the moment you ask customers to submit specific data (or when you gather this data through other ways) to the moment you start using it. Organizations need to understand what they are and are not allowed to store, as well as what you can and cannot do with the stored data.

All of this does not mean that Information Security is not important. In fact, it’s precisely the opposite, as Article 32, ‘Insufficient technical and organizational measures to ensure information security’, is the second most violated article of GDPR, according to the GDPR Enforcement Tracker. When you look at the sum of fines per article, it even ranks as number one, with € 335,159,507 paid by organizations that did not meet the requirements. On average, a violation of this part of the regulation will result in a fine of approximately 4,3 million euros. It should be noted, however, that this amount mainly consists of two penalties. One for British Airways and one for Marriot International. But it does illustrate the importance of having a proper information security system.

In other words, having an appropriate Information Security Management System is essential to be GDPR-compliant, but it’s not all that is required. At the same time, you can’t just invest in a GDPR strategy and leave Information Security for what it is. In the end, GDPR requires you to show authorities, through documentation, that you follow the regulations, but it doesn’t teach you how to understand security at a deeper level:

Don’t mistake good compliance as a security blanket. Compliance involves documenting how you adhere to the regulations. Security is all about understanding how to identify and close the gaps that could compromise your data. – Larry Biagani (Forbes – Don’t Confuse GDPR Compliance with Security)

Therefore, it is strongly recommended that organizations educate themselves in both of these areas to ensure optimal privacy and data protection to protect their businesses against steep fines due to GDPR infringements.

EXIN & Certifications

To help professionals and businesses in creating this understanding, EXIN has two certification programs:

EXIN Information Security Management based on ISO 27001, will help professionals set up an Information Security Management System following the ISO standard.

EXIN Privacy & Data Protection, which teaches a professional everything about GDPR and how to be compliant.

Each program features certifications at different levels, ranging from creating a basic understanding to expert-level certifications that prepare a professional for taking a leading role in their respective field.

Three of these certifications combined create the EXIN Data Protection Officer Career Path, which provides all the knowledge and practical experience to become a Data Protection Officer. This career path is ideal for professionals who want to take on the DPO role in their organization and those who work in an area where extensive knowledge for privacy and security is necessary.