Compliance, GDPR and ISO27001

Compliance, GDPR and ISO27001

Our world and society are becoming increasingly digital and with that move, we are highly dependent on the fact that those who use our data, also protect it appropriately. Certifications within the compliance area are that guarantee for us, both as customers but also as citizens.

Within our space, we have to pay attention to a few separate key areas:

  • Privacy & Data Protection
  • Security
  • Processes

Since its introduction, GDPR has demanded a lot of attention from any company that deals with customer data in some form. Unlike previous regulations in the same field, the EU has been very active and aggressive in their pursuit to hold companies responsible. Since 2015, over 1000 fines have been made public and indexed at enforcementtracker.com.

Prior to GDPR, it was common practice to collect as much data as possible and store it until the end of time, to have it used in some way in the future. As Machine Learning practices have evolved rapidly over the last decade, the value of historical data has increased massively. ML engineers can create truly baffling things with data.

GDPR now regulates what kind of data companies can collect and forces companies to disclose what kind of data is collected. Everyone has clicked countless “cookie pop-ups” and has reached the point of annoyance, once these popups block the website in question. GDPR also mandates that companies are required to ensure that European customers have their data stay within European borders.

For a great historical perspective, Max Schrems travels around at tech conferences and tells the story of why GDPR is important and how/why he sued Facebook about it.

For Information Security, there are multiple compliance certifications one can strive to get. The International Organization for Standardization have created a series of standards that apply to Information Security, where the main one is ISO27001.

An ISO certificate is primarily used as a sales tool. It is an incredibly powerful tool for your sales team, to deliver a promise (in this case information security). The alternative to having an ISO27001 certificate is to fill out massive spreadsheets with questions about everything security, to ensure that some level of security is upheld. Alternatively, some companies straight out decline business if no 27001 certificate exists.

If you are looking to become ISO27001 certified, we can help. We have helped companies identify areas that need attention and helped create and write processes that support compliant workflows. The workflow that is designed to help you, looks somewhat like an internal audit. To ensure that we are going in the right direction, we have a certified Lead Auditor within our ranks.

If we help you become ISO27001 compliant, we cannot perform the audit itself to grant you the certificate.