The theme General Data Protection Regulation – GDPR is increasingly common in our daily lives. At the same frequency, doubts have arisen about ISO/IEC 27001. In this text we are going to talk briefly about the two subjects and how they interact. Good reading!
The Brazilian law 13.709 (General Data Protection Regulation – GDPR) was published on August 14th, 2018 and came into force 24 months later, except for the articles in the section "Administrative Sanctions", which comes into force on August 1st, 2021. It provides for the processing of personal data, including in digital media, by a natural person or a legal person under public or private law, with the objective of protecting the fundamental rights of freedom and privacy and the free development of the person's personality Natural.
The GDPR contains measures that directly affect the activities of associations, from all sectors of the economy, establishing the rights of the holder of personal data, standardizing the definitions related to the processing of personal data and its life cycle, defining the roles of agents related to the data processing, declaring the obligation to report to the regulator (National Data Protection Authority) and to the data subject, in case of data breach, and the need to form rules of good practices and security and data protection governance; as well as heavy fines for non-compliance with the rules provided for in the Law.
The latest revision of ISO/IEC 27001 was published in October 2013 and specifies the requirements to establish, implement, maintain and continually improve an Information Security Management System (ISMS) in the context of the organization. It also includes requirements for the assessment and treatment of information security risks adapted to the needs of the organization. The requirements set out in ISO/IEC 27001 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
The ISMS preserves the confidentiality, integrity and availability of information through the application of a risk management process and provides confidence to stakeholders that the risks are adequately managed.
GDPR x ISO/IEC 27001
The risk management of ISO/IEC 27001 provides for operational controls to mitigate them. In accordance with the LGPD, I highlight the requirements of section A.18 - Compliance below:
A.18.1.1 - Identification of applicable legislation and contractual requirements: All relevant statutory, regulatory and contractual legislative requirements, and the organization's focus on meeting these requirements, must be explicitly identified, documented and kept up to date for each system. organization's information.
A.18.1.4 - Protection and privacy of personally identifiable information: The privacy and protection of personally identifiable information must be ensured as required by relevant legislation and regulations, when applicable.
In this way, a good implementation of ISO/IEC 27001 will meet the requirements of the LGPD.
Still in doubt or need help?
We at E2S Consultoria can help you!