ISO 27701 and GDPR Compliance: What You Need to Know
Can ISO 27701 guarantee GDPR compliance? ISO 27701 can well position any organization for future GDPR compliance. While one is a management system and the other is a technically a legal framework, ISO 27701 helps to create a path on your journey to GDPR.
In 2019, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) introduced ISO/IEC 27701:2019 (more commonly referred to as ISO 27701). This was done to provide organisations with an additional component to stack on top of ISO/IEC 27001:2013 (referred to as ISO 27001). But the availability of the combined adoption of ISO 27001 and 27701 raised a lot of questions in the privacy community. The biggest question: will the combination of ISO 27001 and ISO 27701 equate to GDPR compliance?
In short, the answer is “no,” but it can help you along the way toward GDPR compliance. ISO 27001 and ISO 27701 together offer a way for organisations to bolster information security management systems and become certified in a privacy standard. And though it’s a solid foundation for organisations working on fulfilling GDPR requirements, ISO 27001 and ISO 27701 don’t cover all aspects of the GDPR.
What is ISO 27001 and ISO 27701?
ISO 27001 is a longstanding cybersecurity framework that is used to build an information security management system (ISMS) within an organisation. The security standard was published by the International Organization for Standardization and the International Electrotechnical Commission in 2005, later to be revised in 2013 and expansion of ISO 27701 was published in 2019.
ISO 27701 was created as an additional component to complement ISO 27001 that introduced more privacy-specific controls. With ISO 27701, organisations can create a Privacy Information Management System (PIMS) and become certified in certain privacy practices. ISO 27701 was created in large part to provide guidance for complying with privacy regulations being introduced across the world, such as the GDPR (General Data Protection Regulation) and the CCPA (the California Consumer Privacy Act).
However, ISO 27701 is not a standalone standard. Rather, the original ISO 27001 information security management system standard serves as a foundational chassis, and organisations can add on additional standards, such as ISO 27701, that work well for the specifics of their business. By combining ISO 27701 and ISO 27001, organisations can build trust, prepare for privacy regulations, and more. In addition, many of the elements of ISO 27701 map directly back to aspects of the GDPR.
What is GDPR?
GDPR is a privacy and security regulation that was put into effect worldwide in May 2018. It imposes privacy and security standards on organisations anywhere in the world that intentionally target and process personal data of individuals located in the Union.
GDPR repealed and replaced the former Data Protection Directive (Directive 95/46/EC) and is based on the key principles outlined below:
- Lawfulness, Fairness and Transparency: Data is obtained lawfully, under valid grounds, and not in violation of any other laws. Organisations must be open and honest with individuals about how they plan to use their data, and it cannot be used in a way that is detrimental or misleading to any individuals.
- Purpose Limitation: Data is collected for a specific and legitimate purpose.
- Data Minimisation: Organisations should not collect more personal information than they need from data subjects.
- Accuracy: Every reasonable step must be taken to erase or rectify data that is inaccurate or incomplete. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days. Worth noting, this time period can be extended to 60 days if the controller provides notice to the data subject, or if the request is cumbersome.
- Storage Limitation: Data is kept only as long as necessary for the purpose in which it is processed.
- Integrity and Confidentiality (Security): Appropriate security measures must be in place to ensure information isn’t accessed by hackers or accidentally breached.
- Accountability: Controllers and processors of the data can demonstrate compliance with all of the principles above. This specific principle is new to EU data protection standards.
How does ISO 27701 relate to GDPR compliance?
Knowing what we know of ISO 27701 and the GDPR, it’s easy to see how ISO 27701 could be confused as meeting GDPR compliance — especially when you consider how closely the controls tie back to the articles of GDPR.
The difference, however, is that ISO 27701 is a management system and not a regulation. A management system is essentially an outline for an organisation, and it falls on the organisation to follow and adapt the system in a way that makes sense. Management systems are intentionally vague and can’t be used interchangeably with a regulation like the GDPR. By achieving ISO 27701 certification, organisations can cover a lot of pieces from GDPR, but it’s impossible to fully correlate a standard and a regulation. Noteworthy- regulations that apply to the organisation are listed throughout the audit.
Another fundamental difference between GDPR and ISO 27701 is the ability to carve out your ISO 27701 scope to certain aspects of your business. You can implement ISO 27701’s management system to a particular department or service, for example, the software you provide to clients.
While ISO 27701 does not equal GDPR compliance, it’s a good start.
ISO 27701 helps organizations start the GDPR journey
Once the management system is in place throughout your organisation, it’s possible to expand on that management system to achieve GDPR compliance — with the proper advisory and consulting services.
For organisations seeking an internationally recognised framework, the ISO standards can provide a certification that is scalable to your needs. And in the absence of an official certification for GDPR (which is not yet available), ISO certification can demonstrate your organisation’s commitment to privacy and the maturity of your privacy posture.
With our experience in assessing organisation’s cybersecurity, compliance, and privacy, A-LIGN can provide your organisation with the experience and guidance needed to achieve an ISO certification.