Last updated on November 26, 2018
The EU adopted a newly harmonized data protection law called the General Data Protection Regulation (GDPR) during May 2016. As of May 25, 2018, the GDPR will be a directly applicable law in all member states within the EU and the European Economic Area (EEA). While the GDPR does not introduce many substantially new concepts, it increases the compliance requirements of data controllers and personal data processors. The GDPR encourages the use of certification schemes like ISO 27001 to serve the purpose of demonstrating that the organization is actively managing its data security in line with international best practice.
What’s the difference between GDPR and the Data Protection Act?
There are considerable differences between the Data Protection Act and GDPR. The GDPR is explicitly risk based, the risk being to the fundamental right of a person with regard the processing of personal data – data controllers and processors must manage that risk. In contrast the Data Protection Act implies management of risk. The core difference between the Data Protection Act and GDPR is that the Data Protection Act applies only to the UK while the GDPR applies to the whole of the EU and, crucially, also to any global company which holds data on EU citizens. The Data Protection Act is enforced by the Information Commissioner’s Office (ICO) while the GDPR compliance will be monitored by a Supervisory Authority in the UK with each European country having its own Supervisory Authority.
Non-compliance of the Data Protection Act can result in fines of up to £500,000 or 1% of the annual turnover. While for the GDPR, the potential penalties for non-compliance are much more severe with fines of up to €20 million or 4% of the businesses annual global turnover. In the case of the GDPR, a Data Protection Officer is mandatory for any business or organization with more than 250 employees. Under the Data Protection Act, in the current legislation there is no need for any business to have a dedicated Data Protection Officer. Any data breach must be reported to the Supervisory Authority within 72 hours of the incident under the GDPR, while in the Data Protection Act, businesses are under no obligation to report data breaches, though they are encouraged to do so.
Protection Impact Assessments (PIAs) are not a legal requirement under the Data Protection Act but in GDPR,
PIAs will be mandatory and must be carried out when there is a high risk to the freedom of the individual. Under the DPA , data collection does not necessarily require an opt-in under the current Data Protection Act.
The need for consent underpins GDPR. Individuals must opt-in whenever data is collected and there must be clear privacy notices. Those notices must be concise and transparent and consent must be able to be withdrawn at any time.
|DATA PROTECTION ACT (DPA)||GENERAL DATA PROTECTION REGULATION|
|Applies only to the UK||Applies to the whole of EU and, crucially, also to any global company which holds data on EU citizens.|
|Non-compliance can result in fines of up to £500,000 or 1% of the annual turnover||Non-compliance is much more severe with fines of up to €20 million or 4% of the annual global turnover|
|A dedicated Data Protection Officer is not mandatory||A Data Protection Officer is mandatory for any business or organization with more than 250 employees|
|No obligation to report data breaches, though they are encouraged to do so||Any data breach must be reported to the Supervisory Authority within 72 hours of the incident|
|Enforced by the Information Commissioner’s Office (ICO)||Monitored by a Supervisory Authority in the UK with each European country having its own supervisory authority.|
|Protection Impact Assessments (PIAs) are not a legal requirement||PIAs will be mandatory and must be carried out when there is a high risk to the freedom of the individual|
How are EU GDPR, ISO 27001 and 27018 related?
According to the GDPR, personal data is critical information that all organizations need to protect. However, there are some EU GDPR requirements that are not directly covered in ISO 27001, such as supporting the rights of personal data subjects: the right to be informed, the right to have their data deleted, and data portability. If an organization stores processes personal data in the cloud, it can also use ISO 27018 to cover many GDPR requirements. Therefore, if the implementation of ISO 27001 identifies personal data as an information security asset, and those that stores/processes personal data in the cloud follow ISO 27018 recommendations, most of the GDPR requirements will be covered.
The ISO 27000 series of standards provide the means to ensure this protection. There are many points where the ISO 27001 and ISO 27018 standards can help achieve compliance with this regulation. Listed below are a few of the most relevant ones:
In a nutshell, the GDPR mostly deals with personal data collection, while ISO 27001 helps ensure that this collection of confidential data is secure. Also, the GDPR will expand on Data Protection Act and it’s focused on looking after the privacy and rights of the individual, and based on the premise that consumers and data subjects should have knowledge of what data is held about them, how it’s held, and other core information that the Data Protection Act did not demand.
Hitesh Sarda-Vice President – Banking and Financial Services@YASH Technologies
Type in a topic service or offering and then hit enter to search