Does GDPR require that a company be certified under a particular security framework like ISO 27001, NIST, etc. to be considered GDPR compliant? Or, can a company still be GDPR compliant if they follow the standards set by those frameworks but not actually be officially certified by that framework?
Assign topic to the user
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
EU GDPR DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Expert
Andrei Hanganu
Jan 20, 2018
Answer:
The EU GDPR does not require you to hold any certification in terms of security. Article 32 of the EU GDPR, however, requires you to implement “appropriate” technical and organizational measures to ensure : “ ongoing confidentiality, integrity, availability and resilience of processing systems and services”, “ability to restore the availability and access to personal data in a timely manner” (https://advisera.com/eugdpracademy/gdpr/security-of-processing/).
You can use ISO 27001 as a suitable framework to protect your personal data. If you require more information on ISO 27001 and EU GDPR you can check out our article Does ISO 27001 implementation satisfy EU GDPR requirements? (https://advisera.com/27001academy/blog/2016/10/17/does-iso-27001-implementation-satisfy-eu-gdpr-requirements/) .
Comment as guest or Sign in
Jan 20, 2018
Jan 20, 2018
Jan 20, 2018