Skip to main content
SpringerLink
Log in

General Data Protection Regulation and ISO/IEC 27001:2013: Synergies of Activities Towards Organisations’ Compliance

  • Conference paper
  • First Online:
Trust, Privacy and Security in Digital Business (TrustBus 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11711))

Included in the following conference series:

Abstract

The General Data Protection Regulation that is already in effect for about a year now, provisions numerous adjustments and controls that need to be implemented by an organisation in order to be able to demonstrate that all the appropriate technical and organisational measures have been taken to ensure the protection of the personal data. Many of the requirements of the GDPR are also included in the “ISO27k” family of standards. Consequently, organisations that have applied ISO27k to develop an Information Security Management System (ISMS) are likely to have already accommodated many of the GDPR requirements. This work identifies synergies between the new Regulation and the well-established ISO/IEC 27001:2013 and proposes practices for their exploitation. The proposed alignment framework can be a solid basis for compliance, either for organisations that are already certified with ISO/IEC 27001:2013, or for others that pursue compliance with the Regulation and the ISO/IEC 27001:2013 to manage information security.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Commission directive 2001/58/EC of 27 July 2001 amending for the second time directive 91/155/EEC defining and laying down the detailed arrangements for the system of specific information relating to dangerous preparations in implementation of article 14 of European parliament and council directive 1999/45/EC and relating to dangerous substances in implementation of article 27 of council directive 67/548/EEC (safety data sheets)

    Google Scholar 

  2. Directive 2002/58/EC of the European parliament and of the council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications)

    Google Scholar 

  3. Directive 2006/24/EC of the European parliament and of the council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending directive 2002/58/EC

    Google Scholar 

  4. European commission: Directive 95/46/EC of the European parliament and of the council. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31995L0046. Accessed 14 May 2017

  5. European parliament: Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing directive 95/46/EC (general data protection regulation)

    Google Scholar 

  6. Cavoukian, A., et al.: Privacy by design: the 7 foundational principles. Inf. Privacy Commissioner Ontario, Canada 5 (2009)

    Google Scholar 

  7. IAAP: Privacy tech vendor report. Technical report (2018)

    Google Scholar 

  8. ISO/IEC: ISO 27001:2013 information technology - security techniques - information security management systems - requirements. Technical report (2013)

    Google Scholar 

  9. Lambrinoudakis, C.: The general data protection regulation (GDPR) era: ten steps for compliance of data processors and data controllers. In: Furnell, S., Mouratidis, H., Pernul, G. (eds.) TrustBus 2018. LNCS, vol. 11033, pp. 3–8. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98385-1_1

    Chapter  Google Scholar 

  10. Langheinrich, M.: Privacy by design—principles of privacy-aware ubiquitous systems. In: Abowd, G.D., Brumitt, B., Shafer, S. (eds.) UbiComp 2001. LNCS, vol. 2201, pp. 273–291. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45427-6_23

    Chapter  MATH  Google Scholar 

  11. Moen, R., Norman, C.: Evolution of the PDCA cycle (2006)

    Google Scholar 

  12. Spiekermann, S., Acquisti, A., Böhme, R., Hui, K.L.: The challenges of personal data markets and privacy. Electron. Markets 25(2), 161–167 (2015)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information and Communication Systems Engineering, University of the Aegean, Samos, Greece

    Vasiliki Diamantopoulou & Maria Karyda

  2. Department of Informatics, Ionian University, Corfu, Greece

    Aggeliki Tsohou

Authors
  1. Vasiliki Diamantopoulou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Aggeliki Tsohou
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maria Karyda
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Vasiliki Diamantopoulou .

Editor information

Editors and Affiliations

  1. University of the Aegean, Mytilene, Greece

    Stefanos Gritzalis

  2. SBA Research, Vienna, Austria

    Edgar R. Weippl

  3. Norwegian University of Science and Technology, Trondheim, Norway

    Sokratis K. Katsikas

  4. Johannes Kepler University of Linz, Linz, Austria

    Gabriele Anderst-Kotsis

  5. Software Competence Center Hagenberg, Hagenberg im Mühlkreis, Austria

    A Min Tjoa

  6. Johannes Kepler University of Linz, Linz, Austria

    Ismail Khalil

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Diamantopoulou, V., Tsohou, A., Karyda, M. (2019). General Data Protection Regulation and ISO/IEC 27001:2013: Synergies of Activities Towards Organisations’ Compliance. In: Gritzalis, S., Weippl, E., Katsikas, S., Anderst-Kotsis, G., Tjoa, A., Khalil, I. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2019. Lecture Notes in Computer Science(), vol 11711. Springer, Cham. https://doi.org/10.1007/978-3-030-27813-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-27813-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-27812-0

  • Online ISBN: 978-3-030-27813-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation