Semper Sec Blog

Privacy Controls in ISO 27001 that do not Satisfy Privacy Requirements

Written by Rob Carson | June 12, 2023

In today's digital age, privacy and data protection have become increasingly important concerns. The General Data Protection Regulation (GDPR) is a set of regulations that aim to protect the privacy of EU citizens by regulating the way companies handle their personal data. On the other hand, ISO 27001 is an information security standard that focuses on protecting the confidentiality, integrity, and availability of information. Although ISO 27001 includes some privacy controls, they are not sufficient to meet the requirements of GDPR. In this blog post, we will explore why ISO 27001 privacy controls fall short of GDPR requirements.

Firstly, ISO 27001 focuses on information security, not privacy. While information security is an important aspect of data protection, GDPR requires organizations to take additional measures to protect personal data. GDPR requires companies to ensure that personal data is collected, processed, and stored only for specific, explicit, and legitimate purposes. ISO 27001 does not explicitly address these requirements.

Secondly, ISO 27001 privacy controls are not comprehensive enough to meet GDPR requirements. ISO 27001 includes controls related to the management of personal data, such as access controls, data retention policies, and data destruction procedures. However, GDPR requires companies to take a more comprehensive approach to data protection, including measures such as data protection impact assessments (DPIAs), privacy by design and default, and breach notification requirements. These controls are not included in the ISO 27001 standard.

Thirdly, GDPR requires organizations to obtain explicit consent from individuals before collecting and processing their personal data. ISO 27001 does not provide specific guidance on obtaining consent. Additionally, GDPR requires companies to allow individuals to withdraw their consent at any time, and to delete their personal data upon request. ISO 27001 does not explicitly address these requirements.

Fourthly, GDPR requires companies to appoint a Data Protection Officer (DPO) to oversee data protection and ensure compliance with the regulation. ISO 27001 does not require companies to appoint a DPO.

Finally, GDPR imposes heavy penalties for non-compliance, including fines of up to €20 million or 4% of global annual revenue, whichever is greater. ISO 27001 does not include any such penalties for non-compliance.

In conclusion, while ISO 27001 includes some privacy controls, they are not sufficient to meet the requirements of GDPR. GDPR requires companies to take a more comprehensive approach to data protection, including measures such as data protection impact assessments, privacy by design and default, and breach notification requirements. Additionally, GDPR imposes heavy penalties for non-compliance, which are not included in the ISO 27001 standard. Therefore, companies that are seeking to comply with GDPR should not rely solely on ISO 27001 and should implement additional measures to ensure compliance with GDPR.