Any Standard is Better Than None: GDPR and the ISO Standards
1. GDPR and the ISO’s
Frans van Gessel
Coördinator Information Security
and Privacy MinEZK
Any standard is better than none
2. 2
Meeting you, meeting me
Frans van Gessel
I am working for the department of Economic Affairs in the Hague,
now becoming two departements:
Ministry of Economic Affairs and Climate
Ministry of Agriculture, Nature and Food quality
Responsible for first phase GDPR implementation
PECB partner, trainer and auditor
Duijnborgh auditor ISO 27001 and NEN 7510
4. 4
Introduction
Complaining
So we have the GDPR since 2016
It is not a standard, it is a law
Fat fines for non-compliance
Auditors nightmare
Comply or explain now becomes Complain
5. 5
The flaws of GDPR
More complaining
Political product disguised as a regulation
Not concrete enough for compliance and auditing
To vague to translate in goals
No management commitment, the buck stops at the Controller
No dynamics, it’s flat
No PDCA, so risk of ticking the box
6. 6
The GDPR and Self Regulation
GDPR:40
Codes of Conduct per category of Controllers, may be prepared by
associations, to be approved by DPA or the EDPB.
As of now, none is published on the EDPB site
7. 7
The GDPR and Certification
GDPR:42, 43
Data Protection Seals & Marks
European Data Protection Seal
Voluntary certification, encouraged by Member States
ISO 17065 as the auditors guidance, not 17021/19011
So GDPR is considered to be a set of products and services
8. 8
GDPR Data Protection by Design
GDPR:25
Still: “appropriate technical and organisational measures”
Such as pseudonymisation and data minimalisation
A certification mechanism demonstrates compliance
9. 9
The flaws of ISO 17065
Products and services standard
Conformity assessment
Not to many auditors
10. 10
GDPR as products and services
Supervisory
Authority
Data
Protection
Officer
Privacy Impact Assessment
Binding Corporate Rules
PbD2
Records of
processing
Controller
Processor
ISO 27001 ISMS
Data breach notification
11. 11
How to use ISO’s implementing GDPR
The Privacy Framework: ISO 29100
PECB Whitepaper on implementing a privacy network
12. 12
ISO’s and the GDPR
Privacy Framework: ISO 29100:2011
Principles:
17. 17
ISO’s and the GDPR
Privacy Framework: ISO 29101:2013
Three Layers:
Each layer is a logical group of components that contribute to a specific
goal in the processing of PII
1. Privacy Settings Layer
2. Identity and Access Management layer
3. PII processing layer
19. 19
ISO’s and the GDPR
Privacy Framework: ISO 29101:2013
Privacy Settings Layer:
Communicate system privacy policy and privacy preferences to the
relevant actors:
• Identities of Controller and Processor
• Purpose of the collection
• Legal rights of the data subject/PII principal
• Identification of the PII
• Policies about transfer
• PET use
21. 21
ISO’s and the GDPR
Privacy Framework: ISO 29101:2013
Identity and Access Management layer:
To identify the actors and their ICT systems and manage the related
identity information; how they access the PII:
• Manage the identities of the stakeholders
• Manage identities of actors
• Deliver info to other components
• Manage mappings in case of pseudonymization
23. 23
ISO’s and the GDPR
Privacy Framework: ISO 29101:2013
PII processing layer:
To identify the actors and their ICT systems and manage the related
identity information; how they access the PII:
• PII collection and transfer
• PII processing and presentation
• Storing and archiving
• Auditing, logging and monitoring
26. 26
ISO’s and the GDPR
Privacy Framework: ISO 29151:2017
Codes of practise for PII protection
Extension of ISO 27002 guidelines and in the same format
27. 27
ISO’s and the GDPR
Privacy Framework: ISO 29151:2017
6 Organization of information security
6.1 Internal organization
6.1.1 Introduction
The objective specified in 6.1 of ISO/IEC 27002 applies.
6.1.2 Information security roles and responsibilities
Control 6.1.1 and the associated implementation guidance and other
information specified in ISO/IEC 27002 apply. The following additional guidance
also applies.
Implementation guidance for the protection of PII
Roles and responsibilities for the protection of PII need to be clearly defined,
properly documented and appropriately communicated. Specifically:
28. 28
ISO’s and the GDPR
Privacy Framework: ISO 29151:2017
Implementation guidance for the protection of PII
Duties and area of responsibilities for PII protection should be independent of those for information
security. While recognizing the importance of information security for the protection of PII, it is
important that duties and area of responsibilities of the security and PII protection be as independent
of each other as possible. If necessary or helpful, in the interest of PII protection, coordination and
cooperation of those responsible for information security and for PII protection should be facilitated.
Organizations should adopt the principle of segregation of duties when assigning access rights for PII
processing, especially any processing identified as high risk.
Access to PII being processed and access to log files concerning that processing should be separate
duties.
Access to information concerning the collection of PII in order to respond to requests from PII
principals should be segregated from all other forms of access to PII. Access should be limited to
those whose duties include responding to PII principal requests.
Content of ISO 29151 can be added to the ISMS
controls database
29. 29
ISO’s and the GDPR
Incident handling: ISO 27035:2016 Principles
Data breach notification
30. 30
ISO’s and the GDPR
Incident handling: ISO 27035:2016 Principles
Data breach notification
31. 31
ISO’s and the GDPR
ISO 29134:2017 PIA
Privacy Impact Assessment
Criteria for performing a PIA differ from GDPR.
In GDPR the risk to the rights and freedoms of
data subjects are central in the performance of
the PIA
CNIL.FR PIA method (PIAF) and software
Commission Nationale de l’Informatique et des Libertés
32. 32
Privacy Impact Assessment
ISO’s and the GDPR
ISO 29134:2017 PIA
When: Recital 75
The risk to the rights and freedoms of natural persons, of varying likelihood and
severity, may result from personal data processing which could lead to physical,
material or non-material damage, in particular: where the processing may give rise
to discrimination, identity theft or fraud, financial loss, damage to the reputation,
loss of confidentiality of personal data protected by professional secrecy,
unauthorized reversal of pseudonymization, or any other significant economic or
social disadvantage; where data subjects might be deprived of their rights and
freedoms or prevented from exercising control over their personal data; where
personal data are processed which reveal racial or ethnic origin, political opinions,
religion or philosophical beliefs, trade union membership, and the processing of
genetic data, data concerning health or data concerning sex life or criminal
convictions and offences or related security measures; where personal aspects
are evaluated, in particular analyzing or predicting aspects concerning
performance at work, economic situation, health, personal preferences or
interests, reliability or behavior, location or movements, in order to create or use
personal profiles; where personal data of vulnerable natural persons, in particular
of children, are processed; or where processing involves a large amount of
personal data and affects a large number of data subjects.
33. 33
ISO’s and the GDPR
ISO 29134:2017 PIA
Privacy Impact Assessment
34. 34
ISO’s and the GDPR
Other ISO’s
ISO 27018 Outsourcing personal data to the cloud
ISO 31000 Integrated Risk Management
ISO 27005 Risk Management for Information Security
36. 36
Data Protection Officer
ISO 29151 Chief Privacy Officer
Working Group 29 elaborations
Stronger definition in GDPR
Data
Protection
Officer
37. 37
Privacy by Design and by Default
Implementation in the non-functional
requirements area of system design and
system development
For newly designed systems
Planning for legacy systems: through change
management
PbD2
38. 38
Certification
EDPB Seal or PECB certification
How do we serve companies that operate
on different locations within the EU?
Using the ISO 17065 to develop a scheme
in a “products and services” fashion that
describes the GDPR
PECB can own the scheme and train the
auditors.
There is no need for local accreditation