If someone says to you: ‘OK, we’ll get you GDPR compliant, we need to start you off with 27001‘ or they say ‘ISO 27001 is the standard for, or the certification for GDPR‘ or ‘it’s focused on GDPR‘, all of this is wrong.
We’ll set out why, we’ll destroy some myths, and we’ll highlight four Key Facts along the way.
And stay with us, as we’ll give you some stunning statistics on the adoption of ISO 27001 in the UK and the European Economic Area. You’re going to be very surprised!
You can also watch our free video ‘ISO 27001 is not GDPR’, which is part of Privacy Kitchen – FREE video help with GDPR and all things Privacy. If you’re new to Privacy Kitchen, please do check it out here – and click subscribe and notify to hear about awesome Privacy Kitchen videos.
First, we have to stress, we’re major fans of Security and anything that increases security – including ISO 27001, the international standard for information security.
But 27001 is not GDPR. It’s not the starting point for a GDPR program, and it’s not focused on GDPR. Let’s look at our first Key Point.
Our first Key Point: while there’s some overlap they’re focused on different things.
GDPR’s longer title clearly states it’s about:
It goes on to set out many rules that you’ll be familiar with, such as:
None of that is in 27001.
Now, the first sentence in 27001’s introduction confirms that it’s there to:
Brilliant! It’s absolute fantastic. But it’s not GDPR.
Together with 27002, it goes on to offer suitable controls to address security risks and create that system.
Again, let’s be very clear: Security is fundamental to Data Protection, particularly at this time when so many people are working from home.
But Security, as defined for 27001 and as generally used, looks at securing ‘Information Assets‘ to reduce the risk to the organisation. And not only does it cover personal data, it covers non-personal data, such as confidential information, intellectual property, etc. It’s far broader from a security envelope perspective.
Now, even when GDPR talks about Security, it’s not talking about information security in that way.
GDPR only talks about Security in terms of addressing the risk to individual data subjects from your processing of their personal data. It’s far narrower from a security envelope perspective. Think of it as Information Security for the purposes of Data Protection.
This brings us to our second Key Point.
Our second Key Point is that GDPR sets out seven principles and there’s no mention of Security in six of them.
You can see the principles in full in Article 5 of GDPR, so we’ll just set out the official summary names here:
Again, while Security is absolutely fundamental to Data Protection and it is one of GDPR’s seven principles, it is only one of seven principles, or just 14%. The other six principles don’t talk about Security.
You might argue that ‘accuracy’ implies protecting integrity and hence it’s Security, but that’s really covered in the Security Principle anyway, because it specifically mentions integrity.
Let’s return to Risk for our third Key Point.
This fundamental issue is the very different way that ISO 27001 and GDPR look at risk
Sorry to say – GDPR doesn’t care about the risks to your organisation. GDPR only cares about the risks to the individual data subjects, to be specific: to their fundamental rights and freedoms. It’s a real outlier to the normal enterprise risk programs.
ISO 27002, which goes with 27001, confirms that it’s the risk to the organization that’s the focus, comprised of, or derived from the risk to its Information Assets. You can see confirmation of this different approach everywhere, for example in documents on Security, Privacy and Risk from the European Agency for Cybersecurity (ENISA):
Now, buckle up as our fourth Key Point is a belter!
We checked and rechecked this data a number of times, because it’s so surprising. Those active in the Security and 27001 arena that we’ve talked to about it are also stunned.
In practice, GDPR applies to every organisation in the EEA – and there are millions out there. On EU figures, in 2017, there were roughly 2.5 million ‘active enterprises’ in the UK and about 28 million active enterprises in the UK plus the EEAA 30. GDPR applies to all 28 million active enterprises.
Now, the International Organisation for Standardisation, or ISO, which creates standards like ISO 27001, released a survey showing the number of valid certificates to organisations for various standards, including 27001 by country in each year.
In 2018, in the EEA and the UK combined, there were just 10,661 certificates for 27001 in issue to organisations. There were 28 million organisations or active enterprises, so that’s an adoption rate of just 0.04%.
You can see more in our deeper dive on these figures, but here are some more surprising stats based on those EU business population figures, and the ISO’s 2018 Survey:
We’ve relied on the ISO’s own figures and on the EU figures on business populations – and they may have a margin of error. However, on these figures, at 0.0X% adoption in the EEA, ISO 27001 just doesn’t seem statistically relevant to discussions of a law that applies to every organisation. It’s not speaking to 99.9%.
We feel quite badly about this, because we’re fans of 27001, and it has great lessons and best practices we can all learn from and emulate. But these figures are shocking.
So there you go!
If someone says you have to have ISO 27001 to be GDPR compliant – we’ve seen our four points here – that’s not true.
If someone says ISO 27001 is the standard for GDPR, that’s not correct either. (We’ll be doing another video on ISO 27701, which is an extension to 27001 that has GDPR in its sights. Of course, it’s an extension to 27001, and looking at the adoption of 27001, that doesn’t sound like it’s going to be statistically relevant either.)
And if someone says 27001 is a great starting point for GDPR, we respectfully disagree. The right starting point for GDPR, and you can see our ‘10 Steps to GDPR Compliance‘ video, is to do a personal data inventory. Find out where your personal data is, where it lives, how it passes through the data lifecycle in your organisation, who you share with etc. Then you can work out your gap analysis, you can move to remedy, and get into compliance.
Please do look at our other Privacy Kitchen videos, including ‘What is a breach for GDPR?‘. And please do get involved, use #privacykitchen to tell us the questions and topics and topics you want us to cover.
Stay well in the meantime and I’ll see you in Privacy Kitchen soon!