GDPR

Navigating the Future of AI Governance: A Guide to NIST AI RMF, ISO/IEC 42001, and the EU AI Act

ZenGRC Team · September 21, 2024 ·

Businessman using mobile smartphone and icon network connection data with growth graph customer, digital marketing, banking and payment online, analysis and planning of business.

In the rapidly evolving landscape of Artificial Intelligence (AI), Governance, Risk, and Compliance (GRC) professionals must navigate the increasingly complex challenges of trustworthy development, deployment, and monitoring of AI systems.

The recently released NIST Artificial Intelligence Risk Management Framework (NIST AI 100-1), ISO/IEC 42001, and the upcoming European Union Artificial Intelligence Act are pivotal guidelines for organizations to better govern AI usage.

This blog delves into the similarities and differences of these frameworks, offering essential insights for alignment and outlining how ZenGRC can facilitate a robust, continuous AI governance monitoring program.

Understanding the Frameworks

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework (AI RMF) is designed to provide organizations with a structured approach to managing risks associated with AI technologies. It emphasizes flexibility, allowing organizations to tailor their risk management practices to their specific needs while assuring AI systems are developed and deployed responsibly, ethically, and trustworthy.

The framework itself is published by the National Institute of Standards and Technology (NIST), which has decades of experience developing standards for all manner of technology. Any organization of any industry or size can study the AI RMF and extract valuable lessons.

What is ISO/IEC 4200?

ISO 42001 is a standard from the International Organization for Standardization (ISO). It provides guidelines for establishing, implementing, maintaining, and improving an AI management system. 42001 focuses on assuring that AI systems are used in a way that is ethical and transparent and promotes trust among users and stakeholders. The standard covers various aspects of AI governance, including accountability, data privacy, and security. Similar to other ISO standards, 42001 is voluntary. Organizations can choose to certify their compliance with this standard via external audits and controls validation.

EU Artificial Intelligence Act

Although not finalized yet, the draft EU AI Act represents a comprehensive legal and regulatory framework proposed by the European Union to govern AI use within its member states. It categorizes AI systems based on their risk to citizens’ rights and safety and outlines requirements to be met before those systems can be deployed. The AI Act is particularly notable for its legal enforceability and the potential for significant penalties for non-compliance.

NIST AI RMF vs. ISO 42001 vs. EU AI Act: Similarities and Differences

While all three frameworks aim to promote responsible AI, their approaches and emphases vary.

Feature	NIST AI RMF	ISO 42001	EU AI Act
Purpose	Guidelines for risk management and ethical considerations in AI	Guidelines for an AI management system	Law with specific compliance requirements
Focus	More focused on the risk management aspect	Provides a detailed structure for AI management	Based on the risk associated with an AI system
Applicability	Flexible, applicable across different sectors and types of AI applications	Flexible, designed to be applicable across various sectors and AI applications	Applies to organizations operating within or targeting the Europe market
Legal Implications	Voluntary standards	Voluntary standards	Legal implications; mandatory compliance for affected entities
Geographical Relevance	Global	Global	EU Member States
Compliance	Voluntary	Voluntary	Mandatory as law is enacted

Aligning With the Frameworks

Organizations looking to align their IT operations to these frameworks should start by comprehensively analyzing how they want to use AI (the business use cases) and the risks associated with AI so the organization can understand the specific opportunities and challenges they face. This involves identifying the purpose and desired outcomes of the AI system, the type of data processed, the decision-making capabilities of the system, and the potential effects on individuals and society.

From there, organizations can develop a tailored risk management strategy that addresses these risks while considering each framework’s unique requirements.

Training and awareness are also crucial. To ensure a cohesive approach and increase transparency, stakeholders, from developers to executives, should be educated about the principles and requirements of strong AI governance.

Frequently Asked Questions (FAQs)

What is AI Governance, and Why is it Important?

AI Governance refers to the frameworks, processes, and practices organizations implement to ensure the responsible and ethical development, deployment, and monitoring of artificial intelligence systems and advanced AI technologies. It is crucial because AI systems can significantly impact individuals, businesses, and society.

How Do NIST AI RMF, ISO/IEC 42001, and the EU AI Act Influence AI Governance?

The NIST AI Risk Management Framework (AI RMF) provides guidelines for managing AI risk using AI models and algorithms. ISO/IEC 42001 is a standard for establishing an AI management system focused on ethical AI, transparency, and trust in AI systems. The EU AI Act proposes legal requirements and AI regulation for AI systems based on risk levels, making it legally binding for organizations operating in or targeting the European market.

What Are the Best Practices for AI Governance in Organizations?

Best practices for AI Governance include:

Conducting risk assessments
Establishing clear policies and procedures
Implementing robust data governance and data protection practices
Promoting transparency and explainability
Ensuring human oversight
Continuously monitoring AI systems for compliance and ethical concerns

Organizations should also consider AI safety initiatives and adopt AI principles for responsible AI development.

What is an Example of AI Governance?

An example of AI Governance is a healthcare organization implementing a governance regime like the NIST AI RMF to identify and manage risks associated with their AI systems and machine learning models. This may involve conducting risk assessments, establishing controls and AI policies, and continuously monitoring AI outputs to ensure they operate as intended and comply with ethical and regulatory requirements.

What are the Pillars of AI Governance?

The pillars of AI Governance typically include:

Ethical and responsible AI development.
Data governance and privacy.
Transparency and explainability.
AI risk management.
Continuous monitoring and compliance.
Addressing potential harms and safeguards.

It also involves collaboration with policymakers, civil society, and the private sector to create governance structures and building blocks for the AI ecosystem.

Leveraging ZenGRC for AI Continuous AI Monitoring

ZenGRC can play a pivotal role in helping organizations align with the NIST AI RMF, ISO 42001, and the EU AI Act by offering a comprehensive solution for continuous AI monitoring and governance.

As AI continues to shape the future of technology and society, the importance of robust governance frameworks cannot be overstated. By understanding the nuances of the NIST AI RMF, ISO 42001, and the EU AI Act and leveraging tools such as ZenGRC, organizations can ensure that their AI systems are both compliant and aligned with the highest standards of ethics, accountability, and transparency.

See how ZenGRC can help streamline AI governance and provide an always-on view of AI risk and compliance across your business — schedule a demo today!

Cut Through Compliance Complexity with Consolidated Objectives

ZenGRC Team · November 27, 2023 ·

2023 has been a rough year, with large tech companies worldwide hit by huge fines for violating the EU General Data Protection Regulation (GDPR) and other compliance violations as well. Businesses can bring their best talent and technology to maintain regulatory compliance, but the plain truth is that as a business grows, so does the complexity of that challenge — and many times, that complexity grows faster than your ability to handle it.

One tactic to simplify that workload — and therefore, to increase your chance of a strong compliance program — is to use consolidated objectives. Such objectives can be rolled out across multiple compliance frameworks, allowing you to “do more with less.”

This article provides an overview of consolidated objectives: what they are, how to use them, and how they help to reduce complexity even as you juggle multiple regulatory compliance demands.

What Is a Compliance Framework?

Compliance frameworks are blueprints you can use to assure that your company fulfills its compliance obligations. Some frameworks help with financial reporting goals; others address privacy, cybersecurity, or even ESG-related goals.

Frameworks can be required by law or regulation, or a company can adopt a framework voluntarily simply so it can be more rigorous with its risk management efforts.

For example, all U.S. public companies must comply with the Sarbanes-Oxley Act’s requirements for internal control over financial reporting (ICFR). To achieve that compliance, virtually all companies now use the COSO framework for effective internal control — a generalized guide to achieving ICFR, which any company can tailor to its own unique operations and processes.

The challenge is that as a business grows and its regulatory compliance obligations proliferate, the number of compliance frameworks it must follow keeps growing too. A company might need to use one framework for HIPAA compliance on personal health information, another framework for the PCI DSS standard on security of credit card information, a NIST standard on cybersecurity so the company can bid on federal government contracts, and so forth.

In other words, the company will soon encounter “compliance overload” — a flood of demands that leaves employees confused, exasperated, and never sure that they’ve implemented the correct policies and procedures.

Governance risk and compliance (GRC) software tools can alleviate some of that burden through automation. What truly cuts the Gordian knot, however, is the use of consolidated objectives: clear, specific objectives that can meet the demands of numerous frameworks at the same time.

For example, ISO 27001 and PCI compliance both include requirements for password complexity. You can consolidate those demands into a single objective for password complexity that aligns with both frameworks. This cuts down the time employees spend on establishing control requirements.

What Are the Benefits of Using Consolidated Objectives for Compliance?

When you calculate the time and effort saved by consolidating objectives, including the coordination across teams to implement a consistent set of compliance requirements, the return on investment becomes clear almost immediately. The benefits go beyond saving time and resources, however. You are also able to achieve:

A single view of compliance risk across the whole enterprise
Better ability to implement compensating controls to address weaknesses
More efficient use of company resources

So how does one start implementing consolidated objectives at your enterprise?

Steps to Consolidate Compliance Objectives

Once your organization has decided to consolidate your compliance objectives, the following steps will help you streamline your compliance process.

1. Compile regulatory compliance requirements

The first step is to compile all the regulatory compliance requirements that apply to your organization. This exercise might need a mix of internal audit team members and external auditors, your IT team, and your enterprise risk management (ERM) team to agree upon a standardized compilation of all the requirements.

2. Consolidate compliance assessments

The next step is to understand the links between these various sets of compliance or risk requirements. GRC platforms help you find the correct associations between a given risk or regulatory requirement.

If there are other teams within your organization enforcing internal controls and compiling documentation for the same risk assessment needs, then identifying the common controls and areas would be time consuming, but crucial in the process. The result is a consolidated map of all requirements across different teams and regulatory areas.

3. Evaluate and verify the completeness of your risk mapping

Once the map is compiled, you can identify the key risks by severity and impact. That, in turn, can help you evaluate whether your risk map is comprehensive enough to cover all the risk-prone areas across the organization.

If it isn’t, assess with your ERM and leadership team what other areas are unmapped; then bring them into the risk mapping to assure that you can report across multiple regulatory requirements seamlessly.

4. Identify the right teams for ownership

There might be multiple teams across your organization scrambling to meet a similar set of regulatory requirements, but working in silos. Bring these teams together to share information assets across groups seamlessly. Rely on senior management to align and mobilize the proper stakeholder support.

Leadership can drive decision-making and support the right team to implement the mapped risk requirements and make compliance management much more accessible across the organization.

ZenGRC Tools Make Risk and Compliance Management Easier

Staying abreast of ever-changing regulations and protecting customer assets can be challenging. Documenting and standardizing your compliance requirements does not have to be. ZenGRC can help you create a set of consolidated compliance objectives across your organization.

With ZenGRC’s content hierarchy, you can understand how to map different frameworks and leverage the efforts across compliance requirements. That helps your teams to overcome audit fatigue through automation and stay compliant without breaking a sweat.

Curious to know what consolidated objectives could look like for your org? Schedule a ZenGRC demo today to learn more.

CCPA vs. GDPR: Compliance Comparison

ZenGRC Team · September 23, 2022 ·

The California Consumer Privacy Act (CCPA), heralded as the U.S. version of the European Union’s General Data Protection Regulation (GDPR), has many American companies overhauling their approach to privacy protection in data processing activities.

Assuming that the CCPA is “GDPR Lite,” however, can result in non-compliance with the California law. The two privacy laws have many differences. Compliance with the GDPR does not necessarily assure compliance with the CCPA.

To meet the standards required by each of these data protection laws, you need to understand the differences between the two. To help, we offer a detailed comparison of the CCPA and the GDPR.

What Are CCPA and GDPR?

Governments have enacted laws such as the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) to give people more control over their personal information. Both laws govern how businesses can use the data they collect about consumers.

The CCPA is meant to protect Californians, so they can understand how personal data is gathered and used. The GDPR governs data privacy across the EU, superseding various data protection rules with a unified framework. (Despite coming from Europe, it’s vital to remember that the GDPR affects many companies in the United States.)

Broadly speaking, the CCPA and GDPR are both premised on the idea that personal data belongs to the person the data is about, rather than the organization collecting or using the data. And if personal data is an individual’s property, that means the individual can exercise certain rights over it, and organizations have certain duties of care they must meet while handling it.

The GDPR mandates that websites, organizations, and enterprises have a legal reason for processing the personal data of EU residents. The first legal basis is permission from the individual.

On the other hand, the definition of a “sale” under CCPA states that neither a business’s use or website’s sale of personal data to a third party requires an individual’s prior consent.

Who Has to Comply With GDPR vs. CCPA?

The CCPA protects consumers: natural persons who reside in California. The GDPR is focused on “data subjects” who are EU residents. Both laws are applicable to organizations globally, in slightly different situations.

The CCPA governs for-profit organizations that conduct business in California and gather personal data from California residents. To fall under CCPA jurisdiction, a company must also meet one of the following criteria:

Yearly gross revenues of at least $25 million;
Purchased, received, sold, or distributed the personal information of at least 50,000 customers, households, or devices;
At least half of yearly income is derived from the sale of customer information.

The CCPA also specifies rules for service providers that handle customer data on a company’s behalf.

The GDPR focuses on data controllers, which are organizations that select how and why to use the data of EU residents. The GDPR also governs data processors, which are companies that handle personal data on behalf of controllers.

The GDPR applies to non-EU controllers that process personal data of EU citizens to provide them with commercial products and services or to keep tabs on their behavior. Additionally, the GDPR applies if the data controller or its processor has a physical presence in the EU.

It’s essential to consider how you gather and handle personal data in various regions because the CCPA and GDPR significantly influence a wide range of globally active businesses.

How Do CCPA and GDPR Affect My Business?

The CCPA and GDPR do have many similarities. This is especially true thanks to another law recently enacted in California, the California Privacy Rights Act (CPRA). The CPRA strengthens the CCPA with additional protections, and organizations must comply by January 2023.

First, both laws define “personal information” in essentially the same way: information that can identify, relate to, or is somehow capable of being associated with a specific person. That can include names, addresses, identifiers such as passport or driver’s license numbers, and phone numbers. It can also include genetic material, photographic images, or even internet search histories. The CCPA includes a list of examples (which is not exhaustive). The GDPR does not, and leaves the definition quite broad.

The CCPA gives Californians the right to know if and why their personal information is collected or processed; the GDPR does the same for EU citizens. Companies must implement organizational and technical capabilities to abide by these requests.
The CCPA asserts the individual right to non-discrimination, which makes it illegal to refuse products and services, charge different prices, or provide services of lesser quality. Everyone also has the same right to opt-out. Additionally, it allows people to choose a legitimate individual or corporate body to represent them in exercising their CCPA-awarded rights.

The right to rectification allows individuals to request companies to correct incomplete or erroneous records of personal data. It also prevents organizations from moving further if such documents have been wrongfully processed or are no longer necessary. It was one of the rights included in the GDPR, and is included in the forthcoming CPRA updates.

There are also some exemptions in the CCPA regarding personal information transmitted between businesses. For example, if personal data for an employee or contractor of a company is obtained in the course of business-to-business communications or transactions, the information may be exempt from specific CCPA requirements.

Users under both CCPA or GDPR have a “right to be forgotten.” This means companies are required to erase customer information unless they have a legal obligation to maintain it.

The CCPA contains several exceptions aiming to assist companies in striking a balance between maintaining customer privacy and being able to collect and use the data the companies require for both commercial and compliance needs. The exceptions apply to completing transactions, upholding legal obligations, maintaining security and existing functionality, protecting free speech, conducting research, and allowing for internal, expected, and lawful uses.

The maximum potential GDPR fines and penalties are €20 million (more than $24 million), or 4 percent of the yearly global revenue. For the CCPA, the maximum fine per violation is $7,500 for willful infractions and $2,500 for every subsequent offense. The CPRA will raise the maximum penalties for any breach of the law involving a minor consumer under the age of 16 to $7,500 per incident, whether intentional or unintentional.

While the fines for the CCPA may seem much less than the GDPR, customers can sue firms in class-action lawsuits for $100 to $750 per customer and each event. This cost can accumulate quickly if you consider the volume of customer data that companies may use.

How Do the CCPA and the GDPR Differ?

One key difference is which companies fall under each law’s scope.

The General Data Protection Regulation applies to all companies worldwide that access or process the data of EU citizens currently living in an EU country. The CCPA requirements apply to for-profit organizations that do business in California and either:

Generate $25 million in gross annual revenue;
Access the personal information of more than 50,000 California residents; or
Generate 50 percent or more of their income from the sale of data California residents.

The types of information protected are similar. But the CCPA, unlike the GDPR, protects the data privacy of entire households and data on computing devices in the home, including their applications. The GDPR only protects individuals.

Although the regulations use different languages, both focus on providing users with easy-to-read copies of their collected data and allowing the protected parties to share that information easily.

The GDPR created a new right for data subjects to receive copies of their data from the organization, providing the information in a structured, commonly used, machine-readable format. It also allows persons to request the transmission of their data to other data controllers.

Under the CCPA, when a consumer requests disclosure of the data a business has collected, the company must provide it within 45 days in a readily usable format that allows the consumer to transmit their data easily from one entity to another.

Unfortunately, the two laws also use the same terminology to describe the processing of personal data in different ways. GDPR uses the word “processing” to describe any activity involving data. The CCPA breaks data activity down into “processing,” “selling,” and “collecting.”

The manner of obtaining user consent also differs. The language of the GDPR requires data subjects to opt in to data collection, whereas the CCPA only requires a process for individuals to opt out.

Is the CCPA Stricter Than the GDPR?

Most professionals consider the CCPA to be less stringent than the GDPR. If your company has already undergone the journey to be GDPR-compliant, then adhering to the CCPA regulations should also be an easy adjustment. That said, GDPR compliance does not guarantee CCPA compliance. It’s crucial to understand the requirements of each law to assure that your systems and processes fully comply with both.

Does the GDPR ‘Cover’ the CCPA?

No. Compliance with one law does not equal compliance with both. GDPR compliance for U.S. companies can give you a great head start for CCPA compliance, but the CCPA applies broader regulations to a smaller and separate group of people. The CCPA also requires frequent reviews and a faster turnaround time on customer requests for their data.

What Are the Similarities Between GDPR and CCPA?

Both laws are concerned foremost with data subjects’ rights and are structured to emphasize the rights of consumers rather than the restrictions on businesses. In addition, governments implemented these laws to allow for further transparency into and increased awareness of a person’s data lifecycle.

Each law guarantees a set of rights to data subjects. The GDPR guarantees eight rights, while the CCPA mentions only five. Four of the rights in the CCPA directly overlap with the GDPR:

Right to know or be informed. Data subjects have the right to know that businesses plan on collecting their data before it happens.
Right to access. Data subjects have the right to make access requests for their personal information.
Right to erasure. Also known as the right to be forgotten, data subjects can request the deletion of their data.
Right to object. There is a slight divergence in this right. The CCPA allows Californians to object to selling their personal information, while the GDPR enables subjects to object to direct marketing and automated profiling.

The CCPA expressly includes the right to service without discrimination. The GDPR does not, although experts say this requirement is implied in the GDPR. The GDPR allows for the right to rectification and rejects the use of automated decision making and profiling. Currently the CCPA does not, but these requirements are covered in the CPRA enhancements that go into effect in 2023.

Automate GDPR and CCPA Compliance with ZenGRC

GDPR and CCPA compliance require internal controls, technology safeguards, comprehensive audits, and documentation. ZenGRC is a comprehensive platform to help you implement and maintain compliance with all your regulatory frameworks.

Automated workflows streamline requests to ensure efficient follow-through to completion (a critical capability to meet the CCPA’s 45-day timeline). Tedious activities are simplified for reviewing and maintaining opt-out and opt-in controls.
ZenGRC acts as a single source of truth so that all employees involved in GDPR and CCPA compliance can access the same documentation and reporting to support audits.

ZenGRC goes beyond checking the box. Contact us to schedule a demo and start down the worry-free path to GDPR and CCPA compliance.

Data Governance for Regulatory Compliance & Data Protection

ZenGRC Team · January 13, 2021 ·

The speed of technology advancement has made it easier than ever to share information throughout corporations, and the sheer volume of the data at your fingertips may seem overwhelming. Those advances, however, might leave your organization in a situation where all that data has become more than you can easily track and control.

How can you be sure that every piece of data in your organization is secure? The first step in any successful compliance or data protection program is data governance.

What Is Data Governance?

Data governance is a method by which all the data owned by and connected to your company is tracked and organized. It establishes ownership, and determines where data is stored and how it is protected.

Without this sort of framework in place, data can be stolen, go missing, or become corrupted without your knowledge. Those possibilities pose serious threats to regulatory compliance and risk management, so your best defense against them is a strong data governance program.

Governance can also aid your master data management (MDM) by making rules and procedures that will assure that the data assets you have are consistent and accurate. It can uncover duplicates and help you eliminate errors (changes in customer names and addresses, for example). This aspect of data governance is helpful to narrow your scope and determine what data security measures your company should take to best protect customers’ personal data.

Why Is Data Governance Important for Data Protection?

Data protection is key to preserving your customer base and acquiring new business. Your clients want to know that their sensitive information will be protected, and they’re likely to take their business elsewhere if you’re unable to prove that data is safe.

Data governance enters that picture not only because it helps you ascertain that every piece of data is protected and accounted for; it can also help you develop the metrics necessary to prove that your controls are effective.

Governance will also help you keep track of which privacy regulations you need to meet. For instance, if your organization stores data from customers in the European Union, you need to abide by the EU General Data Protection Regulation (GDPR). These regulatory requirements differ from most American equivalents and include a broader definition of what constitutes personal information. Your governance program will help you organize your data, which will in turn keep you informed of what requirements you need to meet.

How Can Data Governance Aid Compliance?

Compliance audits can be a stressful experience. Regulatory compliance is an intricate process that requires information you might not have readily at hand. Instead of scrambling to determine which areas need your attention, imagine that the information required for your audit was already at your fingertips.

Appropriate data governance processes can alleviate audit stress by ensuring that the data your company owns is organized and accounted for. Instead of organizing the data when you need it, the data is consistently managed, updated, and protected throughout the year. At any given time you’ll have the tools to address issues and potential barriers to compliance.

What Are Some Data Governance Best Practices?

Each data governance program will be unique to its individual company. Your program will have different needs based on the type of data you have, how much data you have, and how that data is processed. Some practices, however, are good to keep in mind no matter what kind of organization you work for. For example:

Hire a chief data officer and create governance positions within the company. While it may not be necessary for every company, designating a “CDO” can be a first step in creating your governance program. The person in this position will be instrumental in structuring a framework that’s appropriate for your entire organization, as well as assigning responsibilities and tracking progress.
Identify ownership. Governance should not be a centralized endeavor. While a CDO or governance team will be integral in developing your framework, it’s important to assign ownership of sensitive data to staff members and departments.
Cataloging, classification, and tagging. No matter what your company’s goals may be, the organization of your data is a crucial step to appropriate governance. This is another component of governance that will look different for each individual company. Consider factors like the lifecycle of the data, as well as confidentiality and potential for risk. Creating these categories and organizing your data will make it easier to track it as you move forward.
Determine how you will measure progress. What will a successful data governance program look like? It might mean educating a certain percentage of your staff on compliance, or a measurable reduction in risk. No matter what your specific organization needs, it’s best to determine your success markers up front. This will enable you to set goals and prove to executives and clients alike that your governance efforts are sound.
Create clear lines of communication. Perhaps the most important principle of data governance is communication. An organization without a governance program will likely have no central hub where data storage and ownership is tracked. This leads to data loss and confusion, and will create headaches for your company in the event of an audit.

If your company is growing, chances are that your data is accumulating faster than you can track. Even the most concise governance programs can be rendered ineffective by outdated tools and organizational systems. If your team is still depending on spreadsheets and shared documents, you may find yourself defeated by Big Data before you even begin.

ZenGRC is a single integrated platform for tracking and organizing your company’s data. It can help you automate governance procedures, consolidate proof of compliance, and expose security risks before they become liabilities. Schedule a demo to learn more about how ZenGRC can help you create the best data governance framework for your company.

Difference Between GDPR and ISO 27001

ZenGRC Team · November 17, 2020 ·

Many countries around the world have begun to pass legislation that regulates how businesses can collect and use consumer data, and that imposes certain standards of privacy and security that companies must meet while in possession of that data.

One landmark piece of legislation arrived in 2018 when the European Union’s General Data Protection Regulation (GDPR) went into effect. The GDPR applies to all member states of the EU and the European Economic Area (EEA).

Additional privacy regulations have emerged since then, and understanding what each one requires and whom it affects can be cumbersome. Today we want to bring some clarity to the discussion by explaining the difference between GDPR and ISO 27001.

What Is GDPR?

The GDPR mandates that all companies doing business within the EU or that collect the data of EU citizens must comply with strict rules to protect that personal data. It encourages organizations to manage their data security in line with prescriptive best practices and requires compliance of data controllers (businesses that collect the data) and data processors (companies that process data on behalf of others).

What Is ISO 27001?

ISO 27001, or ISO/IEC 27001, is an international standard for information security management systems (ISMS) that organizations can adopt.

ISO 27001 was established by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005 and later revised in 2013 and 2017.

The standard includes requirements for creating, executing, managing, and improving a company’s information security management system. This ensures that organizations will secure their information assets and protect against data breaches.

All organizations that can meet the ISO 27001 specifications can seek certification from an accredited institution that will conduct an audit to ensure the organization’s compliance.

How Are ISO 27001 and GDPR Different?

ISO 27001 is a voluntary certification that requires organizations to take a risk-based approach to how they manage sensitive data. In contrast, the GDPR aims to protect the personal data of EU citizens, and compliance with the GDPR is mandatory for most organizations working in Europe or with EU citizens.

Both ISO 27001 and the GDPR do revolve around risk, and both direct organizations to identify certain risks and controls that can bring those risks to an acceptable level.
Regarding personal data, ISO 27001 incorporates encryption as part of business continuity management as well as the capability to restore data when necessary, in a timely manner. Along similar lines, the GDPR views personal data as something that all organizations must strive to protect.

Where the two regulations differ are in their requirements. For example, the GDPR includes the right of a consumer to have his or her data removed, as well as the right to control how the data is shared with third parties (also known as data portability). ISO 27001 doesn’t directly include such provisions.

Does ISO 27001 Cover GDPR?

The two are similar, but not identical. Here are a few examples of where ISO 27001 and the GDPR overlap, where compliance with ISO 27001 can help an organization to meet GDPR standards.

ISO 27001 and GDPR both require breach notification, but at different levels.

Under both ISO 27001 and the GDPR, companies must notify supervisory authorities of a breach of personal data within 72 hours of discovering it. ISO 27001 also contains standards designed to assure that information security incidents are handled in a consistent way.

The main difference, however, is that the GDPR stipulates that consumers (or data subjects) be notified when the breach poses a high risk of infringing upon their individual rights.

Incident management and infosec solutions like those offered by ZenGRC help organizations be better equipped to detect, report, and manage personal data incidents; and to maintain compliance with the GDPR.

GDPR and ISO 27001 BOTH mandate all regulatory and contractual requirements to be laid out.

To obtain an ISO 27001 certification, organizations must make all legislative and contractual requirements related to their business and their customers available to auditors, so that the audit team can confirm compliance.

GDPR similarly mandates that all statutory and contractual requirements be made available to ensure compliance.

ISO 27001 risk assessment can help organizations avoid GDPR fines

The monetary penalties associated with violating the cybersecurity and data processing requirements outlined in the GDPR can be up to 4 percent of an organization’s global revenue. With consequences so painfully high, companies can’t afford to neglect appropriate risk assessment.

In fact, the GDPR mandates data protection impact assessments, which require organizations to assess privacy risks and vulnerabilities. ISO 27001 requires that same sort of risk assessment too. Therefore, by gaining ISO 27001 certification, an organization can simultaneously assure compliance with GDPR and reduce the chance of costly fines.

The asset management requirements of ISO 27001 help to ensure compliance with GDPR

ISO 27001 treats personal data as information security assets. As such, those assets are subject to constraints around storage, length of storage, collection, and access. Those are also requirements of the GDPR.

The future of GDPR requirements indicate that privacy will be built into business processes in alignment with ISO 27001

Data privacy regulation is getting more complex, not less; with additional provisions and protections being added every year. Looking forward, businesses that want a strategic advantage over competitors will have to incorporate security standards into all aspects of their business.

Companies aiming to comply with ISO 27001 (and other ISO standards like ISO 27701 and ISO 27000) will be well prepared to meet those future expectations since the ISO standard is all about how to protect information assets-personal data or otherwise.

Conclusion

The GDPR mainly revolves around how personal data is collected, where ISO 27001 provides guidance about how data that has been collected can remain confidential and secure.

Furthermore, GDPR’s main directive is to protect the right to privacy for individuals and gives consumers certain rights to see how data of theirs is collected, stored, and shared. ISO 27001, on the other hand, is concerned more with the security controls around data.

If you’d like to learn more about how you can ensure compliance with GDPR or ISO 27001 in your organization, contact us for a demo to see how we can help guide your organization to confidence in infosec risk and compliance.