ISO 27701:2019 and the GDPR

Latest update:
25 Jul
2022

The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) both rquire organisations to protect and ensure the privacy of any personal data which they process.  However, neither the GDPR nor the DPA provide much guidance on what measures organisations should take to safeguard the privacy of that data.  This is where ISO/IEC 27701:2019 (ISO 27701) fits in, by providing you with a best practice framework to implement a privacy information management system (PIMS) and improve your data protection/data privacy capabilities.

The Standard, which was published in August 2019, provides the requirements and guidance for establishing, implementing, maintaining and continually improving a PIMS as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013.  ISO 27701 outlines a framework for personally identifiable information (PII) controllers and PII processors to manage privacy controls so that the risk to individual privacy rights is reduced.

Whilst naturally influenced by the release of the GDPR, ISO 27701 is unique in that it has been designed to provide a framework on how organisations should manage personal information and demonstrate compliance, irrespective of which local privacy regime applies, including the GDPR.

Benefits of implementing and certifying against ISO 27701:2019

You will be able to:

  • Utilise and maximise your existing ISO 27001 ISMS as part of a privacy compliance framework.  In the process, you can reduce complexity by integrating your approach to information security and data protection, negating the need to develop separate information security and privacy management systems.
  • Reduce the complexity of maintaining compliance with regulations from multiple jurisdictions around the world.  Annex D of ISO 27701, for example, maps against the GDPR and shows how complying with the requirements and controls of the Standard can help meet the obligations of the Regulation.  Other annexes map to the privacy framework and principles defined in ISO/IEC 29100:2020 as well as ISO/IEC 27018:2019 and ISO/IEC 29151:2017.
  • By implementing ISO 27701, you will automatically generate documentary evidence of how you process PII.  This evidence can be used to demonstrate to senior management, key stakeholders and business partners that you have taken steps to implement appropriate technical and organisational measures to reduce risks and protect PII, as required by the GDPR and other international regulations and laws.
  • Address your information security and privacy risks and reduce the time responding to client-requested and contractually required audits.  A notable feature of ISO 27701 is its versatility, and it is written in such a way that it can be used by organisations of all sizes and from all sectors.  The Standard provides clear guidance and differentiates between controllers and processors so, whatever your status, you will receive the appropriate advice and guidance in protecting your PII.
  • Demonstrate your commitment to protecting client and stakeholder personal data. PIMS certification can help you to build trust with customers, partners and the wider public.
  • Benchmark and continually improve your management of personal data against recognised best practice.
  • Protect your reputation and minimise adverse publicity.
  • Gain competitive advantage when seeking and retaining business.

How do I achieve certification to ISO 27701?

If your organisation has already achieved certification to ISO 27001, you should find it relatively straightforward to extend your security efforts to include your processing of PII. ISO 27701 has been designed to be used by both data controllers and data processors alike. If your organisation has not implemented an ISMS, you can implement ISO 27001 and ISO 27701 simultaneously as a single project, however, ISO 27701 cannot be implemented as a standalone management system standard.

Thumbnail of the Blog Illustration
Data Protection
updateD:
25/7/2022
Data Subject Access Requests (DSARs) Services

One of the fundamental rights of an individual (data subject), under the UK GDPR is to be able to access and receive a copy of their personal information being held by an organisation...

Read more
Thumbnail of the Blog Illustration
Data Protection
updateD:
25/7/2022
In-house Resource vs Virtual DPO

This blog takes a look at data protection officers (DPOs) and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.

Read more
Thumbnail of the Blog Illustration
Data Protection
updateD:
21/7/2022
Gaining Senior Management Buy-In to GDPR Compliance

“It is non-negotiable…….. the potential fines are enormous…….individuals can be held personally liable”. So, with all of these compelling reasons, why can it still be challenging to gain traction on

Read more
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.