GDPR is not limited to IT, as it covers any processing of personal data in an organisation. ISO 27001 compliance can be a good starting point, but is not enough for GDPR compliance.Read less