ISO 27701:2019 and the GDPR

25 Jul

The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) both require organisations to protect and ensure the privacy of any personal data which they process.  However, neither the GDPR nor the DPA provide much guidance on what measures organisations should take to safeguard the privacy of that data.  This is where ISO/IEC 27701:2019 (ISO 27701) fits in, by providing you with a best practice framework to implement a privacy information management system (PIMS) and improve your data protection/data privacy capabilities.

The Standard, which was published in August 2019, provides the requirements and guidance for establishing, implementing, maintaining and continually improving a PIMS as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013.  ISO 27701 outlines a framework for personally identifiable information (PII) controllers and PII processors to manage privacy controls so that the risk to individual privacy rights is reduced.

Whilst naturally influenced by the release of the GDPR, ISO 27701 is unique in that it has been designed to provide a framework on how organisations should manage personal information and demonstrate compliance, irrespective of which local privacy regime applies, including the GDPR.

Benefits of implementing and certifying against ISO 27701:2019

You will be able to:

  • Utilise and maximise your existing ISO 27001 ISMS as part of a privacy compliance framework.  In the process, you can reduce complexity by integrating your approach to information security and data protection, negating the need to develop separate information security and privacy management systems.
  • Reduce the complexity of maintaining compliance with regulations from multiple jurisdictions around the world.  Annex D of ISO 27701, for example, maps against the GDPR and shows how complying with the requirements and controls of the Standard can help meet the obligations of the Regulation.  Other annexes map to the privacy framework and principles defined in ISO/IEC 29100:2020 as well as ISO/IEC 27018:2019 and ISO/IEC 29151:2017.
  • By implementing ISO 27701, you will automatically generate documentary evidence of how you process PII.  This evidence can be used to demonstrate to senior management, key stakeholders and business partners that you have taken steps to implement appropriate technical and organisational measures to reduce risks and protect PII, as required by the GDPR and other international regulations and laws.
  • Address your information security and privacy risks and reduce the time responding to client-requested and contractually required audits.  A notable feature of ISO 27701 is its versatility, and it is written in such a way that it can be used by organisations of all sizes and from all sectors.  The Standard provides clear guidance and differentiates between controllers and processors so, whatever your status, you will receive the appropriate advice and guidance in protecting your PII.
  • Demonstrate your commitment to protecting client and stakeholder personal data. PIMS certification can help you to build trust with customers, partners and the wider public.
  • Benchmark and continually improve your management of personal data against recognised best practice.
  • Protect your reputation and minimise adverse publicity.
  • Gain competitive advantage when seeking and retaining business.

How do I achieve certification to ISO 27701?

If your organisation has already achieved certification to ISO 27001, you should find it relatively straightforward to extend your security efforts to include your processing of PII. ISO 27701 has been designed to be used by both data controllers and data processors alike. If your organisation has not implemented an ISMS, you can implement ISO 27001 and ISO 27701 simultaneously as a single project, however, ISO 27701 cannot be implemented as a standalone management system standard.

Gain a sound grounding and practical interpretation of the GDPR and the DPA 2018!

By attending URM’s online BCS Foundation Certificate in Data Protection course, you will gain valuable insights into the key aspects of current DP legislation including rights of data subjects and data controller obligations.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Thumbnail of the Blog Illustration
Data Protection
Published on
UK International Data Transfer Agreement

DTA and the UK Addendum to the current European Commission’s SCCs re the next steps in providing a transfer tool for complying with the UK GDPR.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
Data Transfer Risk Assessment

We are focussing on transfer risk assessments (TRAs), commencing with the background that led to their introduction and then addressing the five questions.

Read more
Thumbnail of the Blog Illustration
Data Protection
Published on
In-house Resource vs Virtual DPO

This blog takes a look at DPOs and considers when to look in-house and when a virtual, external resource or hybrid resource may be a better option.

Read more
We cannot thank URM enough for their help in ensuring our business is GDPR compliant. Both the gap analysis conducted and the in-depth assistance with the ROPA were made much easier and understandable with URM’s help. I would like to give particular thanks to URM's Consultant for providing us with the best guidance and making a famously complex topic comprehensive, and to our Account Manager for helping make sure all our needs were covered.
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.