The need for a data protection management system

An information security management system must be enhanced towards a data protection management system. In a master thesis conducted at Stockholm University, DSV, and in cooperation with Atea it was found that an information security management system (ISMS) based on ISO 27001/ISO 27002 is a good starting point but not sufficient.

"To fill the gaps we need a data protection management system" says MA Daniel Rzhenetskyi, DSV.

During the research, the requirements stipulated in the GDPR were extracted and mapped against ISO 27001 (ISMS requirements) and ISO 27002 (ISMS security controls). Subsequently a series of interviews with various security and data protection specialists were conducted in order to verify in how far the ISMS controls would satisfy the GDPR. While some controls achieved full compliance a number of gaps with only partial compliance where identified.

Governance approach: The ISMS puts the governance and compliance verification on the CISO while the GDPR assigns governance to the controller and compliance verification on the DPO. This means that a complementary governance organization is needed. Furthermore, the GDPR requires a different documentation in comparisons with ISO 27001 mandatory documentation. Extensive modification would be required to the scope document, risk document and statement of applicability to map towards records of processing and data protection impact assessment.

Impact on data subject versus organizational (security) risks: Another important difference according to the thesis is the approach to define risk exposure. While ISO 27001 elucidate security risks based on the organizations exposure the GDPR focuses on the impact of privacy breaches on the data subject. An identified consequence is that the workshops to identify issues and quantify them has to be performed in a different way. Secondly, this has also an impact on how the security and data protection controls have to be selected. We can conclude that while ISO 27002 provides a solid base complementary controls are necessary.

Semantic inconsistencies in controls: In general, a difference in meaning between the GDPR controls and an ISMS controls were identified. Specifically, the security controls stipulated in ISO 27002 can be (partially) matched on a headline level to the GDPR controls but are different in their meaning execution. While this implies that some extra efforts are necessary the good part of this finding is that synergies in the control framework can be found.

Data protection by design and default: While there is both an implicit assumption of a security architecture and an explicit requirement for security design during development in ISO 27001 the relevant controls do not match up to the intentions of the GDPR. So while there is a solid base some enhancements have to be performed.

Data sharing and data export: While ISO 27002 defines compliance controls they are far too unspecific to deal with the GDPR requirements. This area has, not surprisingly, the most significant gap and extra efforts are needed.

It was therefore concluded that while a management system is important a dedicated data protection management system (DPMS) needs to be built. "Ateas approach is tailored towards this finding and a holistic process, based on Plan-Do-Check-Act, is the base for our approach" says Carl-Magnus Brandt, Business Developer for GDPR at Atea.