GDPR Article 5 contains the most amount information that needs to be considered from an ISO perspective.
Article 5 can largely be viewed as a set of underlying principles that flow through the entirety of both the UK and EU legislation, encompassing numerous different areas of compliance, including:
Organisations need to be fully conversant with Article 5, in order to better understand the subtle nuances that GDPR presents across other areas of the legislation.
Principles Relating to Processing of Personal Data
- Personal data shall be:
- (a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
- (b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
- (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
- (d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
- (e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
- (f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).;
- The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
From a technical perspective, Article 5 largely provides the legal framework within which organisations should operate, in order to remain compliant, across six guiding principles:
Although incredibly vague, ‘fairness’ is an overall requirement of the GDPR, and serve as an interpretive tool for situation that may not be in violation of the letter of the law, but clearly not ‘fair’ from the perspective of an individual and their rights.
‘Transparency’ requires that the data subject is fully aware of the processing of their data. GDPR requires that information provided to the data subject must be delivered within a reasonable timeframe, easily accessible and free from errors.
GDPR Article 5 states that any personal data collected should be limited to very specific and legitimate purposes, and shouldn’t be re-appropriated for any purpose other than what was originally intended.
Data minimisation under GDPR Article 5 is defined under two terms – ‘processing’ and ‘purpose’. Essentially, organisations need to ensure that they are only processing data to the minimum level, in order to fulfil its initial purpose.
Data should be kept accurate and up to date at all times. If data is found to be inaccurate, Article 5 states that organisations should take ‘reasonable steps’ to rectify any mistakes that have been made. All-in-all, individuals need to be properly represented by the data that’s held on them, so that any decisions made are not taken upon a false impression of who they are.
Organisations need to be mindful of the fact that processing operations should not go on forever. Once an initial set of objectives are fulfilled, data processing should stop. To achieve this, organisations should define storage times before processing any data.
If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
Information transfer operations should:
When utilising electronic transfer facilities, organisations should:
When transferring physical media (including paper documents) between premises or external locations, organisations should:
Verbally conveying sensitive information presents a unique security risk, particularly where PII and privacy protection is concerned.
Organisations should remind employees to:
Organisations should utilise non-disclosure agreements (NDAs) and confidentiality agreements to protect the wilful or accidental divulgence of sensitive information to unauthorised personnel.
When drafting, implementing and maintaining such agreements, organisations should:
Confidentiality laws vary from jurisdiction to jurisdiction, and organisations should consider their own legal and regulatory obligations when drafting NDAs and confidentiality agreements (see ISO 27002 Controls 5.31, 5.32, 5.33 and 5.34).
Application security procedures should be developed alongside broader privacy protection policies, usually via a structured risk assessment that takes into account multiple variables.
Application security requirements should include:
Transactional services that facilitate the flow of privacy data between the organisation and a third party organisation, or partner organisation, should:
For any applications that involve electronic ordering and/or payment, organisations should:
I certainly would recommend ISMS.online, it makes setting up and managing your ISMS as easy as it can get.
Since migrating we’ve been able to reduce the time spent on administration.
Organisations should carefully select test data to ensure that testing activity is both reliable, and secure. Organisations should pay extra attention to ensuring that PII is not copied into the development and testing environments.
In order to protect operational data throughout testing activities, organisations should:
When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.
In doing so, organisations should:
Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.
In order to create a cohesive, highly functioning incident management policy that safeguards the availability and integrity of privacy information during critical incidents, organisations should:
Staff involved in privacy information security incidents should understand:
When dealing with privacy information security events, staff should:
Reporting activities should be centred around 4 key areas:
We felt like we had
the best of both worlds. We were
able to use our
existing processes,
& the Adopt, Adapt
content gave us new
depth to our ISMS.
Organisations should conform to legal, statutory, regulatory and contractual requirements when:
Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.
Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.
When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:
Organisations should consider record management across 4 key areas:
To maintain a functional records system that safeguards PII and privacy-related information, organisations should:
Organisations should implement topic-specific policies that deal with different categories of endpoint devices and mobile device software versions, and how security controls should be tailored towards improve data security.
An organisation’s mobile device policy, procedures and supporting security measures should take into account:
Everyone in the organisation who uses remote access needs to be made explicitly aware of any mobile device policy and procedures that apply to them within the context of secure endpoint device management.
Users should be instructed to:
Organisations who allow personnel to use personally owned devices should also consider the following security controls:
When drafting procedures that deal with wireless connectivity on endpoint devices, organisations should:
It helps drive our behaviour in a positive way that works for us
& our culture.
Rather than put all information held on an equal footing, organisation’s should classify information on a topic-specific basis.
Information owners should consider four key factors, when classifying data (especially regarding PII), which should be reviewed periodically, or when such factors change:
To provide a clear operational framework, information categories should be named in accordance with the inherent risk level, should any incidents occur that compromise any of the above factors.
To ensure cross-platform compatibility, organisations should make their information categories available to any external personnel who they share information with, and ensure that the organisation’s own classification scheme is widely understood by all relevant parties.
Organisation’s should be wary of either under-classifying or, conversely, over-classifying data. The former can lead to mistakes in grouping PII in with less-sensitive data types, whilst the former often leads to added expense, a greater chance of human error and processing anomalies.
Labels are a key part of ensuring that the organisation’s PII classification policy (see above) is being adhered to, and that data is able to be clearly identified in line with its sensitivity (e.g. PII being labelled as distinct from less confidential data types).
PII labelling procedures should define:
ISO provides plenty of scope for organisations to choose their own labelling techniques, including:
When developing policies that govern the handling of media assets involved in storing PII, organisations should:
When re-purposing, re-using or disposing of storage media, robust procedures should be put in place to ensure that PII is not affected in any way, including:
If devices that have been used to store PII become damaged, organisation’s should carefully consider whether or not it is more appropriate to destroy such media, or send it for repair (erring on the side of the former).
See ISO 27701 Clause 6.5.3.1
If media is to be disposed of that previously held PII, organisations should implement procedures that document the destruction of PII and privacy-related data, including categorical assurances that it is no longer available.
When implementing policies that deal with removable media, organisations should:
Organisations should keep thorough records of any storage media used to process sensitive information, including:
Throughout the process of re-purposing, re-using or disposing of storage media, organisations should:
User registration is governed by the use of assigned ‘identities’. Identities provide organisations with a framework to govern user access to PII and privacy-related assets and material, within the confines of a network.
Organisation needs to follow six main guidance points, in order to ensure that identities are managed correctly, and PII is protected wherever it is stored, processed or accessed:
Organisations who work in partnership with external organisations (particularly cloud-based platforms) should understand the inherent risks associated with such practices, and take steps to ensure that PII is not adversely affected in the process (see ISO 27002 Controls 5.19 and 5.17).
Our recent success achieving ISO 27001, 27017 & 27018 certification was in large part down to ISMS.online.
‘Access rights’ govern how access to PII and privacy-related information is both granted and revoked, using the same set of guiding principles.
Access procedures should include:
Organisations should conduct periodical reviews of access rights across the network, including:
Personnel who are either leaving the organisation (either wilfully or as a terminated employee), and those who are the subject of a change request, should have their access rights amended based upon robust risk management procedures, including:
Employment contracts and contractor/service contracts should include an explanation of what happens following any attempts at unauthorised access (see ISO 27002 Controls 5.20, 6.2, 6.4, 6.6).
PII and privacy-related assets need to be stored on a network that features a range of authentication controls, including:
To prevent and minimise the risk of unauthorised access to PII, organisations should:
PII and privacy-related information is particularly at risk when the need arises to either dispose of, or re-purpose storage and processing assets – either internally, or in partnership with a specialised third-party provider.
Above all, organisations need to ensure that any storage media marked for disposal, that has contained PII, should be physically destroyed, wiped or over-written (see ISO 27002 Control 7.10 and 8.10).
To prevent PII becoming compromised in any way, when disposing of or re-using assets, organisations should:
PII and privacy related-information is particularly at risk when careless staff and third-party contractors fail to adhere to workplace security measures that protect against the accidental or deliberate viewing of PII by unauthorised personnel.
Organisations should draft topic-specific clear desk and clear screen policies (on a workspace-by-workspace basis if needs be) that includes:
When organisations collectively leave premises – such as during an office move or similar relocation – efforts should me made to ensure that no documentation is left behind, either in desks and filing systems, or any that may have fallen into obscure places.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Take 30 minutes to see how ISMS.online saves you hours (and hours!)
Book a meetingOrganisations should draft topic-specific policies that directly address how the organisation backs up the relevant areas of its network in order to safeguard PII and improve resilience against privacy-related incidents.
BUDR procedures should be drafted to achieve the primary goal of ensuring that all business critical data, software and systems are able to be recovered following data loss, intrusion, business interruption and critical failures.
As a priority, BUDR plans should:
Organisations need to develop separate procedures that deal solely with PII (albeit contained within their main BUDR plan).
Regional variances in PII BUDR standards (contractual, legal and regulatory) should be taken into consideration whenever a new job is created, jobs are amended or new PII data is added to the BUDR routine.
Whenever the need arises to restore PII following a BUDR incident, organisations should take great care to return the PII to its original state, and review restore activities to resolve any issues with the new data.
Organisations should keep a log of restoration activity, including any personnel involved in the restore, and a description of the PII that’s been restored.
Organisations should check with any law-making or regulatory agencies and ensure that their PII restorations procedures are in alignment with what’s expected of them as a PII processor and controller.
ISO defines an ‘event’ as any action performed by a digital or physical presence/entity on a computer system.
Event logs should contain:
ISO identifies 11 events/components that require logging (and linked to the same time source – see ISO 27002 Control 8.17), in order to maintain PII security and improve organisational privacy protection:
Logs should be protected against unauthorised changes or operational anomalies, including:
Organisations should engage with the following techniques, in order to improve log-based security:
When the need arises to provide logs to external organisations, strict measures should be taken to safeguard PII and privacy-related information, in accordance with accepted data privacy standards (see ISO 27002 Control 5.34 and additional guidance below).
Logs will need to be analysed from time to time, in order to improve privacy protection on the whole, and to both resolve and prevent security breaches.
When performing log analysis, organisations should take into account:
Log monitoring offers organisations the chance to protect PII at source and foster a proactive approach to privacy protection.
Organisations should:
ISO requires organisations to monitor logs pertaining to PII through a ‘continuous and automated monitoring and alerting process‘. This may necessitate a separate set of procedures that monitor access to PII.
Organisations should ensure that – as a priority – logs provide a clear account of access to PII, including:
Organisations should decide ‘if, when and how‘ PII log information should be made available to customers, with any criteria being made freely available to the principals themselves and great care taken to ensure that PII principals are only able to access information pertaining to them.
See ISO 27701 Clause 6.9.4.1
Organisations should dedicate a lot of attention towards ensuring that logs which contain PII are properly controlled, and benefit from secure monitoring.
Automated procedures should be put in place that either deletes or ‘de-identifies’ logs, in line with a published retention policy (see ISO 27002 Control 7.4.7).
PII principals need to be fully conversant with all the various reasons as to why their PII is being processed.
It’s the responsibility of the organisation to convey these reasons to PII principals, along with a ‘clear statement’ on why they need to process their information.
All documentation needs to be clear, comprehensive and easily understood by any PII principal that reads it – including anything relating to consent, as well as copies of internal procedures (see ISO 27701 Clauses 7.2.3, 7.3.2 and 7.2.8).
ISMS.online will save you time and money
Get your quoteTo form a legal basis for processing PII, organisations should:
For every point mentioned above, organisations should be able to offer documented confirmation
Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).
If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.
Organisations need to enter into written, binding contracts with any external PII processor that it uses.
Any contracts need to ensure that the PII processor implements all the required information contained within ISO 27701 Annex B, with particular attention to risk assessment controls (ISO 27701 Clause 5.4.1.2) and the overall scope of the processing activities (see ISO 27701 Clause 6.12).
Organisations need to be able to justify the omission of any controls contained within Annex B, in their relationship with the PII processor (see ISO 27701 Clause 5.4.1.3).
Organisations need to maintain a thorough set of records that support its actions and obligations as a PII processor.
Records (otherwise known as ‘inventory lists’) should have a delegated owner, and may include:
Organisations should draft, document and implement procedures that allow PII principals to access, correct and/or delete their PII.
Procedures should include mechanisms through which the PII principal is able to perform the above action, including how the organisation is to inform the principal if corrections aren’t able to be made.
Organisations should commit to a published response time for all access, correction or deletion requests.
It’s vitally important to communicate any such requests to third parties that have been transferred PII (see ISO 27701 Clause 7.3.7).
A PII principal’s ability to request corrections or deletions is dictated by the jurisdiction that the organisation operates in. As such, companies should keep themselves abreast of any legal or regulatory changes that govern their obligations towards PII.
Organisations should limit their collection of PII based on three factors:
Organisations should only collect PII – either directly or indirectly – in accordance with the above factors, and only for purposes that are relevant and necessary towards their stated purpose.
As a concept, ‘privacy by default’ should be adhered to – i.e., any optional functions should be disabled by default.
Organisations should take steps to ensure that PII is accurate, complete and up-to-date, throughout its entire lifecycle.
Organisational information security policies and technical configurations should contain steps that seek to minimise errors throughout its PII processing operation, including controls on how to respond to inaccuracies.
Organisations need to construct ‘data minimisation’ procedures, including mechanisms such as de-identification.
Data minimisation should be used to ensure that PII collection and processing is limited to the ‘identified purpose’ of each function (see ISO 27701 Clause 7.2.1).
A large part of this process involves documenting the extent to which a PII principals information should be directly attributable towards them, and how minimisation is to be achieved via a variety of available methods.
Organisations should outline the specific techniques use to de-identify PII principals, such as:
Organisations either need to completely destroy any PII that no longer fulfils a purpose, or modify it in a way that prevents any form of principal identification.
As soon as the organisation established that the PII doesn’t need to be processed at any time in the future, the information should be deleted or de-identified, as the circumstances dictate.
Temporary files are created for a number of technical reasons, throughout the PII processing and collection lifecycle, across numerous applications, systems and security platforms.
Organisations need to ensure that these files are destroyed within a reasonable amount of time, in accordance with an official retention policy.
A simple way to identify the existence of such files is to perform periodic checks of temporary files across the network. Temporary files often include:
Organisations should adhere to a so-called garbage collection procedure that deletes temporary files when they’re no longer needed.
Organisations need to have clear policies and procedures that govern how PII is disposed of.
Data disposal is a wide-ranging topic that features a host of different variables, based on the required disposal technique and the nature of the data that’s being disposed of.
Organisations need to consider:
Book a tailored hands-on session
based on your needs and goals
Book your demo
Any PII that is set to be transferred to a third party organisation should be done so with the utmost of care for the information being sent, using secure means.
Organisations need to ensure that only authorised personnel are able to access transmission systems, and are doing so in a way that is easily audited with the sole purpose of getting the information to where it needs to go without incident.
From the outset, PII should only ever be processed in accordance with the customer’s instructions.
Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.
Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.
Organisations need to ensure that temporary files are destroyed within a reasonable amount of time, in accordance with an official retention policy and clear deletion procedures.
A simple way to identify the existence of such files is to perform periodic checks of temporary files across the network.
Organisations should adhere to a so-called garbage collection procedure that deletes temporary files when they’re no longer needed.
Whenever the need arises for PII to be transmitted over a data network (including a dedicated link), organisations need to be preoccupied with ensuring that the PII reaches the correct recipients, in a timely manner.
When transferring PII between data networks, organisations should:
GDPR Article | ISO 27701 Clause | ISO 27002 Controls |
---|---|---|
EU GDPR Article 5(1)(f) | 6.10.2.1 | 5.13 8.7 8.24 |
EU GDPR Article 5(1) | 6.10.2.4 | 5.31 5.32 5.33 5.34 |
EU GDPR Article 5(1)(f) | 6.11.1.2 | 5.17 8.2 8.5 |
EU GDPR Article 5(1)(f) | 6.11.3.1 | 8.10 8.11 |
EU GDPR Article 5(1)(f) | 6.13.1.1 | 5.25 5.26 5.5 5.6 6.8 8.15 8.16 |
EU GDPR Article 5(1)(f) | 6.15.1.1 | 5.20 |
EU GDPR Article 5 (2) | 6.15.1.3 | None |
EU GDPR Article 5(1)(f) | 6.3.2.1 | 8.9 8.16 |
EU GDPR Article 5(1)(f) | 6.5.2.1 | None |
EU GDPR Article 5(1)(f) | 6.5.2.2 | None |
EU GDPR Article 5(1)(f) | 6.5.3.1 | 5.14 |
EU GDPR Article 5(1)(f) | 6.5.3.2 | 5.14 |
EU GDPR Article 5(1)(f) | 6.6.2.1 | 5.17 5.19 |
EU GDPR Article 5(1)(f) | 6.6.2.2 | 5.9 5.20 6.2 6.4 6.6 |
EU GDPR Article 5(1)(f) | 6.6.4.2 | None |
EU GDPR Article 5(1)(f) | 6.8.2.7 | 7.10 8.10 |
EU GDPR Article 5(1)(f) | 6.8.2.9 | None |
EU GDPR Article 5(1)(f) | 6.9.3.1 | 5.30 8.1 8.10 |
EU GDPR Article 5(1)(f) | 6.9.4.1 | 5.34 8.11 8.17 8.18 |
EU GDPR Article 5(1)(f) | 6.9.4.2 | 5.34 8.11 8.17 8.18 |
EU GDPR Article 5 (1)(b) | 7.2.1 | None |
EU GDPR Article 5 (1)(a) | 7.2.2 | None |
EU GDPR Article 5 (2) | 7.2.8 | None |
EU GDPR Article 5 (1)(d) | 7.3.6 | None |
EU GDPR Article 5 (1)(b) | 7.4.1 | None |
EU GDPR Article 5 (1)(d) | 7.4.3 | None |
EU GDPR Article 5 (1)(c) | 7.4.4 | None |
EU GDPR Article 5 (1)(c), 5 (1)(e) | 7.4.5 | None |
EU GDPR Article 5 (1)(c) | 7.4.6 | None |
EU GDPR Article 5 (1)(f) | 7.4.8 | None |
EU GDPR Article 5 (1)(f) | 7.4.9 | None |
EU GDPR Article 5 (1)(a), 5 (1)(b) | 8.2.2 | None |
EU GDPR Article 5 (1)(c) | 8.4.1 | None |
EU GDPR Article 5 (1)(f) | 8.4.3 | None |
Your complete GDPR solution.
A pre-built environment that fits seamlessly into your management system allows you to describe and demonstrate your approach to protecting European and British customer data.
With ISMS.online, you can jump straight into GDPR compliance and demonstrate levels of protection that go beyond ‘reasonable’, all in one secure, always-on location.
In combination with our ‘Adopt, Adapt, Add’ implementation approach, the ISMS.online platform offers built-in guidance at every step, reducing the effort required to demonstrate your GDPR compliance. A number of powerful time-saving features will also be available to you.
Find out more by booking a short 30 minute demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo