GDPR and ISO Compliance

ISO 27001 does not prescribe restrictions about the use of PII, only that privacy and PII must be ensured considering applicable legal requirements, in case-control A.18.1.4 - Privacy and protection of personally identifiable information is applicable to your organization.

Now, GDPR lets the data controller evaluate and balance the risk of security measures taken. There is a presumption of adequacy of encrypted data and encouraging Multi Factors Authentication. Of course, Article 32 GDPR on security measures requires the data controller to balance risks for the freedom and rights of data subjects with the state of art, cost of implementation and nature, scope, purposes of processing in order to determine the right level of security.

These articles will provide you a further explanation about ISO 27001 and GDPR: 

• Does ISO 27001 implementation satisfy EU GDPR requirements? https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/
• How cybersecurity solutions can help with GDPR compliance: https://advisera.com/eugdpracademy/blog/2017/11/27/how-cybersecurity-solutions-can-help-with-gdpr-compliance/
• Privacy, cybersecurity, and ISO 27001 – How are they related?: https://info.advisera.com/27001academy/free-download/privacy-cyber-security-and-iso-27001