News & Blog

Since the introduction of GDPR, there has been a plethora of companies calling themselves GDPR compliant. Many are pre-disposed to this idea because of the perception created that by adhering to ISO 27001, or another Personal Information Management System Standard; or changing certain web-forms on their websites they comply with GDPR. It’s time to take a reality check.

The GDPR Compliance Myth

News & Blog

Since the introduction of GDPR, there has been a plethora of companies calling themselves GDPR compliant. Many are pre-disposed to this idea because of the perception created that by adhering to ISO 27001, or another Personal Information Management System Standard; or changing certain web-forms on their websites they comply with GDPR. It’s time to take a reality check.

What is GDPR?

GDPR is the General Data Protection Regulation, also referred to as Regulation (EU) 2016/679. It has been created by the European Parliament and Council to strengthen and unify data privacy for EU individuals as well as to regulate the international transfer of their data. IT IS A LAW. IT IS NOT A STANDARD WHICH CAN BE COMPLIED WITH BY ADHERANCE TO AN ISO STANDARD IN ISOLATION.

What is the question / Statement?

“Am I fully compliant with GDPR if I am already certified to ISO 27001?”

This is a myth. As on date there is no certification approved for GDPR compliance; let alone accredited certification bodies who can provide it. There is no GDPR certifications available from anyone for anything. The ICO, in the UK, have released nothing on certification / accreditation, not even guidance and nor have the European Data Protection Board; EDPB (earlier known as the Article 29 Working Party). GDPR is compliance to EU law and as of today there is no certification which can prove to any supervisory authority that companies processing personal information of EU citizens are GDPR compliant.

Another organization styling itself as “best practice framework for a personal information management system” is aligned to the principles of the EU GDPR as per the statement on its website. It outlines the core requirements organizations need to consider when collecting, storing, processing, retaining or disposing of personal records related to individuals. It does not talk of the law. Organizations are believing that by complying to this standard they are GDPR Compliant. This is factually incorrect as the Standard itself states that it is “aligned to the principles of GDPR”.

What is required

To comply with GDPR, the mere changing in privacy policy or work on “Consent” or “Legitimate interest” or signing a data protection addendum is not enough. One needs to work on each article of GDPR and ensure that sufficient demonstrable evidences exist. Organization and IT controls need to be in place as those will be part of the Audit program for GDPR compliance. Any certification program available is for an individual and content of the courses are more towards getting “Data Privacy” as a culture in place.

The current situation

GDPR is being looked at by two separate sets of people, usually in isolation, by technology people who see it from the prism of Standards, controls and technology only, and by the legal fraternity who are usually looking at it through the prism of individual rights. For the business community, you need to have a fine balance between the two.

The following example gives a perspective:

There is no certification for LAW and only actionable compliance can prove that you are compliant. You can have a driving license which proves you can drive but you will be compliant to traffic law only when you drive carefully and if an accident happens your driving license will not save you from the consequences.

Leave a Reply

Your email address will not be published. Required fields are marked *

Disclaimer / Acknowledgements

PMP, PMI, PMBOK, CAPM, PgMP, PfMP, ACP, PBA, RMP, SP, and OPM3 are registered marks of the Project Management Institute, Inc. ITIL® is a [registered] trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved. IT Infrastructure Library is a [registered] trade mark of AXELOS Limited used, under permission of AXELOS Limited. All rights reserved. The Swirl logo™ is a trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved. PRINCE2® is a [registered] trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved. MSP® is a [registered] trade mark of AXELOS Limited, used under permission of AXELOS Limited. All rights reserved. Certified ScrumMaster® (CSM) and Certified Scrum Trainer® (CST) are registered trademarks of SCRUM ALLIANCE® Professional Scrum Master is a registered trademark of Scrum.org The APMG-International Finance for Non-Financial Managers and Swirl Device logo is a trade mark of The APM Group Limited. The Open Group®, TOGAF® are trademarks of The Open Group. IIBA®, the IIBA® logo, BABOK® and Business Analysis Body of Knowledge® are registered trademarks owned by International Institute of Business Analysis. CBAP® is a registered certification mark owned by International Institute of Business Analysis. Certified Business Analysis Professional, EEP and the EEP logo are trademarks owned by International Institute of Business Analysis. COBIT® is a trademark of ISACA® registered in the United States and other countries. CISA® is a Registered Trade Mark of the Information Systems Audit and Control Association (ISACA) and the IT Governance Institute.

Legal Entity : GO4KNOWLEDGE DIGITAL PRIVATE LIMITED
CIN: U80904HR2019PTC081680