ISO 27001 and GDPR Compliance

Tuesday 8th August 2017

What is the GDPR?

The General Data Protection Regulation (GDPR) has been designed to protect the rights, privacy and freedoms of natural persons in the European Union and to enable individuals to better control their personal data. The GDPR has been developed by the European Union Commission as a single, pan-European law that operates above and supersedes other (national) laws and the Data Protection Directive. The GDPR will require all data controllers[1] and data processors[2] that handle the personal information of EU residents toimplement appropriate technical and organisational measures […] to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”. The Regulation will be enforceable from 25 May 2018.

The Regulation requires organisations to put in place a compliance framework which ensures they are implementing appropriate technical and organisational measures to ensure that processing of personal data is performed in compliance with the GDPR. “Processing” is essentially anything done to the data, including storage. “Personal data” means any information relating to an identified or identifiable natural person.

How can ISO27001 help organisations comply with the GDPR?

The Regulation states that having a recognised information security certification, such as ISO27001, will be a good way for an organisation to demonstrate that it protects its information assets using best-practice information security measures.

Will the Regulation continue to apply when Britain leaves the European Union?

Any organisation anywhere in the world that provides services into the EU that involve processing the data of EU citizens will have to comply with the GDPR. Any organisation that wishes to sell its goods or services to EU-based citizens or organisations is therefore likely to need to continue to comply after Britain leaves the European Union. In addition, the UK Government has recently announced plans to introduce a new UK Data Protection Bill, which will align with the GDPR.

What are the penalties for failure to comply?

Failure to comply with the GDPR can result in fines for organisations of up to 20 million euros (£17m) or 4% of annual global turnover, whichever is the greatest.


[1] ‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

[2] ‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. An organisation can be both a controller and a processor.

Notes for Editors:

ACM Limited is a UKAS-accredited certification body meaning it is able to issue certificates to clients carrying the prestigious “tick and crown”. Certificates carrying these marks are recognised around the world as being of the highest quality. More information is available at:

ACM is part of the EMB Group. EMB Group helps organisations of all types and sizes become more effective, more efficient and more profitable by providing a range of support services to help improve their performance.

These services include recognised programmes such as Department for International Trade and Investors in People and ISO certification and a range of government-funded grant programmes to help companies achieve their growth objectives. EMB Group is based in Leicester.

Further information on EMB Group is available at:

For any press enquiries, please contact Gihan Azab, 0845 504 6262





ACM Ltd provides worldwide certification for ISO 9001, 14001, 27001, 45001, 50001 and OHSAS 18001

ISO 27001:2013

Find out more on ISO 27001:2013


ACM workshops and training calendar


Get in touch with ACM on 0845 504 6262 or email: