Does ISO certification demonstrate GDPR compliance?
On 25 May 2018, the EU's new General Data Protection Regulation (GDPR) comes into force. All organisations with customers or members in the EU are affected. Failure to comply will result in fines running into the millions. Does ISO 27001 certification of the hosting services provider automatically ensure GDPR compliance?
Article 42 of the GDPR explicitly addresses certification mechanisms. These can prove that data protection is being observed. An Information Security Management System (ISMS) according to ISO 27001 has exactly this as its goal. Thus, anyone who is accredited with ISO 27001 certification proves that he or she complies with the Gold Standard in best-practice schemes of data protection.
However, the DSGVO does not only cover data protection, but also the rights of those concerned to your data. For example, informed and explicit consent to the collection of personal data or the right to delete, correct or migrate personal data is being required. These rights are not covered by ISO 27001 and must be implemented independently.
How the respective tasks between the parties are regulated is defined in the data processing contract and by the technical-organisational measures. However, in the relationship between a hosting services provider ("processor") and a client ("controller"), the latter party is considered as responsible to ultimately ensure that the GDPR is being observed.
Further information