topic Re: GDPR for offshore company in Privacy

GDPR for offshore company

Buddhika_dalwis — Wed, 28 Mar 2018 17:18:09 GMT

Hi everyone,

I'm in the process of implementing ISO 27001 for an accounting firm in India who processes data of customers in UK. I believe the firm also needs to be complied to GDPR, what would be compliance requirements should I consider?

Thanks in advance

Re: GDPR for offshore company

sanya_s — Wed, 28 Mar 2018 19:52:22 GMT

When implementing ISO27001 you must examine content 1. Regulations, 2. Contracts and 3 Security Policy , so your security policy will have to ensure that GDPR compliance is part of the regulation, and your context. With GDPR DPIA ( Data Protection Impact Assessment) is the key part of it, and you have to use this as part of your risk assessment analyses, risk register and SOA for ISO27001 controls.

Go through your Annex A controls, and utilising your DPIA define your Statement of Applicability and incorporate that into your ISO27001 documentation.

I hope this helps

Re: GDPR for offshore company

felipetsi — Wed, 28 Mar 2018 20:26:46 GMT

Very good answer. But do you have some checklist with all GDPR requiriments?

Re: GDPR for offshore company

ajyoung — Wed, 28 Mar 2018 23:13:27 GMT

Suggest you use the PIA guidance provided bu CNIL (available in english!) whuich you will find at https://www.cnil.fr/en/home. That will take you through and guide your approach.