The European Union’s General Data Protection Regulation (GDPR) went into effect May 2018, and in spite of that, there is still no certification standard for it. In August 2019, Corporate Compliance Insights published Coalfire’s David Forman’s musings over the possible implications of the newly published Extension to ISO/IEC 27701:2019. His thoughts were set on the privacy extension pertaining to and supporting the GDPR.
Forman and others have noted that the previous ISO 27001 was more comparable to the SOC reporting suite. With the new version’s European flair, it seems set to become the GDPR certification standard to help businesses. It should assist in developing better systems to achieve GDPR compliance, validation, and stronger marketing value.
What Does the Extension to ISO/IEC 27701:2019 Involve?
In August 2019, the International Organization for Standardization (ISO) published the new ISO/IEC 27701:2019, or ISO 27701. The latest standard—and the first international privacy standard—arrived five months ahead of schedule and outlines the requirements necessary for implementing an organizational program entitled Privacy Information Management System (PIMS). The purpose of PIMS is for it to govern the safe handling of personally identifiable information (PII).
Industry Insiders See ISO 27701 as the Future GDPR Certification Standard – With Good Reason
The latest iteration of ISO 27701 is the first of its kind—an ISO standard intended to reference external frameworks of publications—was not developed by the ISO. The ISO 27701 was a special case and the external reference here was the EU’s GDPR. Take a good look at the recent history of data compromises. There is an ongoing and uncertain state of data privacy, global privacy regulation, enforcement and finally, this current development and passage of ISO 27701. It isn’t a stretch to imagine that it may become the certification path for GDPR heading toward its second full year of enforcement.
Since news broke of the impending May 2018 enforcement deadline for GDPR, businesses have worried about the potentially catastrophic ramifications of incurring a single violation. The worry was for good reason.
As the GDPR enforcement deadline came and passed, several multinational corporations have fallen into the netting. Violations from businesses like Marriott, British Airways, Google and Facebook have received strikes for each organization’s perceived mishandling and negligence toward the security of PII. In these cases, Google and Facebook received warnings while Marriott and British Airways did, in fact, get penalized with stiff fines. In fairness, there has been some question as to the validity of the early blockbuster claims. Some wonder if these organizations were not targeted. Perhaps they were made examples to demonstrate the ability and the will to enforce the standard for any entity caught out of full compliance with GDPR.
Many businesses could benefit from a certification standard to help achieve, maintain and prove GDPR compliance, and ultimately avoid such heavy consequences that threaten the stability of their business. Additionally, utilizing the ISO 27701 as the certification mechanism could greatly reduce risk to the privacy rights of individuals and the organization. This is the primary reason for the development and global deployment of the GDPR, since it is designed to enhance any existing Information Security Management System.
The new standard is also an excellent way of demonstrating to everyone involved—customers, external stakeholders, and internal stakeholders—that effective systems are in place. It is a strong signal of readiness for facilitating and supporting GDPR compliance and other related privacy legislation.
Can Organizations Get GDPR Certified Through ISO 27701 Yet?
Organizations of all sizes and locations may clamor to become certified in ISO 27701 to achieve and prove GDPR compliance. However, they will either need to hold an existing ISO 27001 certification or combine ISO 27001 and ISO 27701 for a single implementation audit. Again, ISO 27701 makes sense as a GDPR support since it serves as a natural expansion of the guidance and requirements established and set out in ISO 27001.
What Are the Most Important Benefits of the ISO 27701 Extension?
The privacy extension of ISO/IEC 27701 to ISO/IEC 27001 for Information Security Management and ISO/IEC for Security Controls provides an international management system standard. It comes with guidance on the protection of privacy. This includes the way that organizations should manage personal data and assists in demonstrating compliance with privacy regulations all over the world.
The benefits of ISO/IEC 27701 continue and include the following:
- Facilitates effective business agreements.
- Builds trust and confidence in managing personal information.
- Defines and clarifies roles and responsibilities.
- Provides transparency for customers and stakeholders.
- Supports and certifies compliance with various privacy regulations.
- Reduces complexity as it integrates the latest information security standard ISO/IEC 27001.
Are You Ready to Adopt a Strategy for Stronger GDPR Compliance with ISO 27701?
If you are ready to tighten up your GDPR compliance, our team at I.S. Partners, LLC believes that the Extension to ISO/IEC 27701:2019 can help. Combining ISO 27001 and 27701 is an effective solution to improved GDPR confidence and compliance. This is because there is so much overlap in system and technical requirements between an information security system and a privacy information management system.
Do you still have questions? Call us at 215-675-1400, send us a message, or request a quote. Our experienced team can help you understand the new standard and how it can help with your crucial GDPR compliance strategy.
