ISO 27701:2019 and the GDPR

The GDPR principles and the DPA set out the legal requirements for data protection and privacy, but they do not provide detailed guidance on specific measures organizations should take to safeguard personal data. ISO/IEC 27701:2019 (ISO 27701) fills this gap by offering a best practice framework for implementing a Privacy Information Management System (PIMS) and enhancing data protection and privacy capabilities.

Published in August 2019, ISO 27701 serves as an extension to ISO/IEC 27001:2013 and ISO/IEC 27002:2013, which are standards for information security management. It provides requirements and guidance for establishing, implementing, maintaining, and improving a PIMS within the context of an organization's existing information security management system.

ISO 27701 offers a comprehensive framework for managing privacy controls and reducing risks to individual privacy rights. It is designed to be applicable regardless of the local privacy regime in place, including the GDPR principles. This means that organizations can use ISO 27701 to establish a robust PIMS and demonstrate compliance with privacy requirements, irrespective of the specific privacy regulations that apply to them.

By implementing ISO 27701, organizations can enhance their privacy practices, establish effective controls, and demonstrate their commitment to protecting personal information in line with the GDPR principles. It provides a practical approach to managing privacy risks and aligning with international best practices, enabling organizations to build trust with stakeholders and demonstrate their dedication to privacy protection.

Benefits of implementing and certifying against ISO 27701:2019

Implementing ISO 27701 offers several benefits and opportunities for organizations. Here are some key advantages:

1. Utilize and maximize your existing ISO 27001 ISMS: ISO 27701 can be integrated into your existing information security management system (ISMS) based on ISO 27001. This integration allows you to streamline your approach to information security and data protection, eliminating the need for separate management systems and reducing complexity.

2. Simplify compliance with multiple regulations: ISO 27701 helps organizations navigate and comply with regulations from different jurisdictions. For example, Annex D of the standard maps against the GDPR, illustrating how ISO 27701 requirements and controls align with the obligations of the Regulation. Other annexes map to relevant privacy frameworks and principles, enabling organizations to streamline their compliance efforts.

3. Generate documentary evidence and demonstrate compliance: By implementing ISO 27701, organizations automatically generate documented evidence of their PII processing practices. This evidence can be used to demonstrate compliance with the GDPR, other international regulations, and industry best practices to senior management, stakeholders, and business partners.

4. Address information security and privacy risks: ISO 27701 helps organizations identify, assess, and address information security and privacy risks. By following the guidance provided in the standard, organizations can implement appropriate technical and organizational measures to protect PII and reduce the likelihood of data breaches or privacy incidents.

5. Build trust and reputation: Achieving certification for your PIMS can help build trust with customers, partners, and the public. It demonstrates your commitment to protecting personal data and establishes your organization as a responsible custodian of sensitive information.

6. Continual improvement and benchmarking: ISO 27701 provides a framework for ongoing monitoring, measurement, and improvement of your PIMS. By benchmarking your practices against recognized best practices, you can identify areas for enhancement and ensure your privacy management remains effective and up to date.

7. Competitive advantage: Implementing ISO 27701 and obtaining certification can give your organization a competitive edge in the market. It demonstrates your commitment to data protection and privacy, which can be a distinguishing factor when seeking and retaining business relationships.

Overall, ISO 27701 offers a comprehensive framework to strengthen privacy management and protect personal data, benefiting both organizations and the individuals whose data they handle.

How do I achieve certification to ISO 27701?

That's correct. If your organization has already achieved certification to ISO 27001 for GDPR compliance, integrating ISO 27701 into your existing information security management system (ISMS) should be a relatively straightforward process. ISO 27701 provides specific requirements and guidance for managing privacy information within the context of an ISMS, allowing you to extend your security efforts to include the processing of personally identifiable information (PII) in line with GDPR compliance.

On the other hand, if your organization has not implemented an ISMS, you have the option to implement ISO 27001 and ISO 27701 simultaneously as a combined project. This approach allows you to establish an integrated management system that addresses both information security and privacy requirements for GDPR compliance. ISO 27701 cannot be implemented as a standalone management system standard, as it is designed to be an extension of ISO 27001 and ISO 27002.

By implementing ISO 27001 and ISO 27701 together, organizations can benefit from a unified approach to managing security and privacy, reducing duplication of efforts, and demonstrating compliance with both information security and privacy regulations, including GDPR compliance. This integrated approach ensures that organizations are well-equipped to protect personal data and meet the requirements of data protection laws.