Collaborative Discussion 2
Comparing Compliance Laws (units 8-10)
For this discussion we were tasked with commparing the rules of the GDPR - in particular, with relation to the securing of personal data rule, with either similar compliance laws within our country of residence, or with the ICO in the UK. As EU GDPR is broadly aligned with UK GPDR, and as I have worked to a lesser extent with ICO, I decided to focus on comparing UK GDPR to ICO. This collaborative discussion aligned with learning objectives 1 and 2.
A peer response highlighted recent reform to The Data Use and Access Act 2025 (ICO, 2025). On undertaking further reading to understand the specific updates, I reflected on whether the introduction of broad consent will ultimately aid or hinder scientific research. Whilst recognising the challenges posed by having to re-seek consent for future analysis, I also considered whether broader consent provisions may cause individuals to hesitate when providing initial consent, as it may be less clear how their data may be used in the future.
Summary of Discussion Post
My initial post discussed the UK GDPR and the role of the Information Commissioner’s Office (ICO) as an independent regulator for compliance. The post focused on requirements for securing of personal data, described the overarching requirement of UK GDPR that “appropriate technical and organisational measures to ensure a level of security that is appropriate to the risk are implemented” (United Kingdom, 2018, Art. 32 ) and described the specific checklist advice that ICO provides for businesses in order to ensure that the data security requirements are met.
The initial post also highlighted security frameworks such as Cyber Essentials, a government backed cyber security certification scheme, for which accreditation enhances confidence that required security standards are met. I additionally highlighted that security of personal data is not only ensured by effective cybersecurity methods, but also by implementing appropriate operational measures and securing of hardware.
A colleague added the pertinent comment that in addition to the ICO guidelines, ISO/IEC 27001 compliance helps to provide assurance that data security measures are met. ISO 27001 is an international standard for Information Security Management Systems (ISMS) and provides a framework for organisations to manage and meet data security requirements (ISO, 2022).
Whilst not mandatory, as an international standard, ISO27001 certification provides confidence to clients that organisations have systems in place to manage risks related to data security. ISO 27001 compliments GDPR by detailing best practices to achieve the operational and technical measures required to meet Article 32 of the GDPR through risk mitigation, continuous improvement and clear accountability (IT Governance, 2025; Amtivo, 2025)
In summary, adherence to ICO guidelines alongside ISO27001 compliance provides organisations and their clients with assurances that personal data is handled in a secure manner and that GDPR requirements in relation to data security are met. It should be noted however that whilst these frameworks help alignment to the GDPR compliance requirments, they are not sufficient to ensure that data protection regulations are fully met, specifically in relation to subject consents, retention and international movement of personal data.
References
Amtivo. (2025) ISO 27001 and GDPR: How Do They Work Together? Available at: https://amtivo.com/uk/standards/iso-27001/insights/iso-27001-gdpr-working-together/ (Accessed: 8 October 2025).
ISO (2022) ISO/IEC 27001:2022 – Information security management systems. Available at: https://www.iso.org/standard/27001 (Accessed: 8 October 2025).
IT Governance Ltd. (2025) ISO 27001 and the GDPR. Available at: https://www.itgovernance.co.uk/gdpr-and-iso-27001 (Accessed: 8 October 2025).
United Kingdom (2018) UK General Data Protection Regulation, Article 32. Available at: https://www.legislation.gov.uk/eur/2016/679/article/32 (Accessed: 18 September 2025).
⬅️ Return to Deciphering Big Data