A question we are increasingly asked is ‘Is there a catch-all international standard that effectively proves external verification of data protection compliance?’ It would be great if the answer to that question was a simple yes, but currently, despite some disingenuous marketing to the contrary, there are only 3, very purpose-specific UK GDPR certification schemes approved by the Information Commissioner’s Office (ICO), the UK’s supervisory authority.
So, where should you look?
This blog looks at standards in general, with a particular focus on what we consider to be the two most prominent standards, along with some guidance on selecting the one which is likely to be best for you and your organisation.
It took the ICO more than 3 years from the introduction of the GDPR to approve the first 3 UK GDPR certification schemes (in relation to IT asset disposal, age assurance and age-appropriate design). And though there are likely to be more, don’t hold your breath, as this will not be an insignificant process and will take time. So, what is there in the meantime? A simple search will quickly lead to a substantial list of ‘general’ privacy standards and more specific standards– here are just a few as a ‘starter for ten’:
- BS 10012:2017 and A1:2018 - Data protection. Specification for a personal information management system
- ISO 20889:2018 - Privacy-enhancing data de-identification terminology and classification of techniques
- ISO 27701:2019 Security techniques – Extension to ISO 27001 and ISO 27002 for privacy information management – Requirements and guidelines
- ISO TR 27550:2019 - Information technology — Security techniques — Privacy engineering for system life cycle processes
- ISO FDIS 27556 - (in development) - Information security, cybersecurity and privacy protection - User-centric privacy preferences management framework
- BS EN ISO 29100:2020 and A1:2018 Information technology – Security techniques – Privacy framework
- BS EN ISO 29134:2020 - Information technology- Security techniques - Guidelines for privacy impact assessment
- ISO 29151:2017 - Information technology – Security techniques – Code of practice for personally identifiable information protection
- ISO 27018:2019 - Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- ISO FDIS 31700-1 (in development) - Consumer protection: privacy by design for consumer goods and services.
So, let’s focus on 2 standards that fall into the wider category of ‘general’ privacy standards category i.e., BS 10012 and ISO 27701. But, before we do, what is the benefit in adopting a standard? Standards are widely regarded as representing best practice, having been developed by a range of experts, industry practitioners, consultants, professionals and other subject matter experts and interested parties. They have then been reviewed extensively and been subject to public consultation, where each and every comment is considered.
Let’s start with BS 10012. This British standard was first released in 2009 and updated in 2017 to reflect the requirements in the GDPR. It describes how to establish a personal information management system (PIMS) and provides a framework for maintaining and improving compliance with data protection legislation and good practice. ISO 27701 on the other hand, is an international Standard and is an extension of ISO 27001 and 27002.
It enhances an existing information security management system (ISMS) with additional requirements in order that organisations can establish, implement, maintain and continually improve a privacy information management system (PIMS), which can then be certified. The Standard outlines a framework for PII controllers and PII processors to manage privacy controls so that risks to individual privacy rights can be reduced. Apart from the British versus International difference, the hawk-eyed of you out there may have already spotted a ‘semantic’ difference – two PIMS, but one ‘P’ stands for personal, and one stands for privacy!
One of the more meaningful distinctions is that ISO 27701 is structured so that the PIMS can be considered an extension to the ISMS requirements and controls. As such, in order to implement it effectively, you must have an ISMS to start with, and a certifiable one at that if you’re looking to certify your PIMS. Another key distinction is that BS 10012 controls are specifically tailored to GDPR requirements.
For example, the BS 10012 controls around data breach notifications have the specified requirement that data controllers have a 72-hour window to contact data protection authorities, whereas ISO 27701 is jurisdiction-neutral in terms of its controls. There is also a useful appendix to ISO 27701 which maps to the GDPR. Once other regulatory requirements are mapped, according to each organisation’s requirements, ISO 27701 will be able to manage multiple privacy requirements and regulations. So, the 6-million-dollar question, which is best for you?
BS 10012 is more suitable for UK-centric organisations, whose obligations are solely limited to complying with the GDPR and don’t have an ISMS or an interest in establishing one, and want to establish a stand-alone PIMS.
ISO 27701 is more suitable for organisations which already have established, or have an intention to establish, an ISMS and need to comply with privacy laws in several different jurisdictions. Whichever you choose, however, will provide you with a best practice framework to successfully manage your approach to data protection/data privacy.
And, furthermore, by adopting one or the other will enable you to demonstrate to your stakeholders that you have acted. One of the most important stakeholders to think about here in the UK is the ICO. As Elizabeth Denham, the former Information Commissioner, speaking to the BBC in April 2018 said, “We’re not going to be looking at perfection, we’re going to be looking for commitment”. Adopting BS 10012 or ISO 27701 certainly demonstrates commitment!
Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!
There is some confusion about the difference between personal data and sensitive personal data and even whether sensitive personal data exists as a term!
Is there a catch-all international standard that effectively proves external verification of data protection compliance?