ISO 27701:2019 and the GDPR

25 Jul

Table of Contents

The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) both require organisations to protect and ensure the privacy of any personal data which they process.  However, neither the GDPR nor the DPA provide much guidance on what measures organisations should take to safeguard the privacy of that data.  This is where ISO/IEC 27701:2019 (ISO 27701) fits in, by providing you with a best practice framework to implement a privacy information management system (PIMS) and improve your data protection/data privacy capabilities.

The Standard, which was published in August 2019, provides the requirements and guidance for establishing, implementing, maintaining and continually improving a PIMS as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013.  ISO 27701 outlines a framework for personally identifiable information (PII) controllers and PII processors to manage privacy controls so that the risk to individual privacy rights is reduced.

Whilst naturally influenced by the release of the GDPR, ISO 27701 is unique in that it has been designed to provide a framework on how organisations should manage personal information and demonstrate compliance, irrespective of which local privacy regime applies, including the GDPR.

Benefits of implementing and certifying against ISO 27701:2019

You will be able to:

  • Utilise and maximise your existing ISO 27001 ISMS as part of a privacy compliance framework.  In the process, you can reduce complexity by integrating your approach to information security and data protection, negating the need to develop separate information security and privacy management systems.
  • Reduce the complexity of maintaining compliance with regulations from multiple jurisdictions around the world.  Annex D of ISO 27701, for example, maps against the GDPR and shows how complying with the requirements and controls of the Standard can help meet the obligations of the Regulation.  Other annexes map to the privacy framework and principles defined in ISO/IEC 29100:2020 as well as ISO/IEC 27018:2019 and ISO/IEC 29151:2017.
  • By implementing ISO 27701, you will automatically generate documentary evidence of how you process PII.  This evidence can be used to demonstrate to senior management, key stakeholders and business partners that you have taken steps to implement appropriate technical and organisational measures to reduce risks and protect PII, as required by the GDPR and other international regulations and laws.
  • Address your information security and privacy risks and reduce the time responding to client-requested and contractually required audits.  A notable feature of ISO 27701 is its versatility, and it is written in such a way that it can be used by organisations of all sizes and from all sectors.  The Standard provides clear guidance and differentiates between controllers and processors so, whatever your status, you will receive the appropriate advice and guidance in protecting your PII.
  • Demonstrate your commitment to protecting client and stakeholder personal data. PIMS certification can help you to build trust with customers, partners and the wider public.
  • Benchmark and continually improve your management of personal data against recognised best practice.
  • Protect your reputation and minimise adverse publicity.
  • Gain competitive advantage when seeking and retaining business.

How do I achieve certification to ISO 27701?

If your organisation has already achieved certification to ISO 27001, you should find it relatively straightforward to extend your security efforts to include your processing of PII. ISO 27701 has been designed to be used by both data controllers and data processors alike. If your organisation has not implemented an ISMS, you can implement ISO 27001 and ISO 27701 simultaneously as a single project, however, ISO 27701 cannot be implemented as a standalone management system standard.

Does your organisation fully comply with the General Data Protection Regulation (GDPR)?

If uncertain, URM is able to conduct a high-level GDPR gap analysis which will assist you understand your current levels of compliance and identify gaps and vulnerabilities.
Thumbnail of the Blog Illustration
Data Protection
Published on
Analysis of Fines Imposed by the Information Commissioner’s Office in 2022

When looking to comply with the General Data Protection Regulation (GDPR), it is always a worthwhile exercise....

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Conducting Data Transfer Impact Assessments (DTIAs)

URM answers key questions around data transfer impact assessments (DTIAs), providing detailed guidance on the best practice approach to conducting them.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Transferring Personal Data Outside of the EEA

This blog looks at a very specific area of the GDPR - Article 28 and data transfer outside of the EEA.

Read more
Informative webinar. Thank you!
Webinar 'GDPR - Back to Basics'
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.