Data protection certification according to ISO 27701

Information security and data protection are important topics that every company has to deal with nowadays. The demand for data protection certification under the GDPR is on the rise. While information security is already very comprehensively covered by ISO 27001/27002, there was still a need to catch up when it came to data protection. This is where ISO 27701 comes in and it seems that this new ISO will be the solution to the problem. But is that really the case?

What is ISO 27701?

The rules for the new ISO 27701 were published in August 2019. The official name is "Security techniques - Extension of ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidance." This is not a standalone standard, but merely an extension of ISO 27001 and ISO 27002 to include data protection aspects. In addition, ISO 27701 contains supplements to ISO 27002, the guidance for implementing the measures in Annex A of ISO 27001. It is not a replacement and cannot be purchased alone; certification is only possible together with ISO 27001.

ISO 27001 is concerned with the certification of an ISMS. Thus, the focus is on the operation of an information security management system. Rules, procedures, measures and tools are defined to ensure information security in the system. ISO 27701 extends the ISMS to include the aspect of data protection. Sometimes it is also referred to as PIMS (Privacy Information Management System). This means that the existing system is to be made fit for handling personal data. Want to learn more about ISO 27001? Click here to see the article.

In terms of content, ISO 27701 specifies how data protection and information security measures are to be linked in order to achieve the establishment, implementation, maintenance and continuous improvement of a Privacy Information Management System (PIMS). The new privacy standard therefore refers to "information security and privacy" instead of "information security." There are also additions to the content. For example, when considering the context of the organization, the inclusion of relevant data protection laws and court decisions is required. Likewise, the risk assessment must take into account criteria for the processing of personal data as well as the protection of data subjects and a possible data protection impact assessment.

The ISO 27701 standard also includes information on data protection management, such as:

• Expanding the guide and policies to include aspects of data protection.
• Appointment of a responsible person (data protection officer) in the company for the data protection information management system.
• Data protection training for employees
• Registration of accesses and changes
• Encryption, for example of special categories of personal data such as health data
• Consideration of "Privacy by Design
• Review of data protection violations

How does a ISO 27701 certification work?

Due to the close proximity to ISO 27001 in terms of content, the introduction of ISO 27701 in the company does not usually mean a great deal of additional work. During implementation, it is usually possible to fall back on guidelines, processes and documentation that already exist in the company. In principle it can be said that ISO 27701 merely reproduces and restructures the contents of the GDPR.

In Germany, certification by Dekra or DQS is possible. In Austria, CIS and TÜV are one of the first internationally accredited providers to offer the certificate for data protection management according to ISO 27701 - as an add-on to ISO 27001. The prerequisite for this is that the system is already certified according to ISO 27001.

Why does a certification according to ISO 27701 make sense?

The General Data Protection Regulation does not explicitly require certification. What ultimately counts is proof of how carefully the company actually handles the requirements of data protection. However, ISO 27701 certification can achieve a high level of legal certainty if the system is lived.

Benefits include:

• Definition of roles and responsibilities in data protection
• Compliance with data protection regulations
• Transparency in data management
• Reducing the risk of data breaches
• Increasing the trust of customers, business partners, and regulators
• Proof of implementation of data protection measures in the event of problems with the data protection authority

In addition, the certificate can show that the issue of data protection is considered important. This gives customers and partners the assurance that their data will be handled correctly and securely.

Is a company with a ISO 27701 certification automatically GDPR compliant?

A closer look at Article 43 of the GDPR shows that data protection certificates are only possible on the basis of ISO 17065 (certification of products and processes). The European Data Protection Board has confirmed this in its guidelines on this topic (Guidelines 1/2018 and Guidelines 4/2018). Certification of systems is thus excluded.

Furthermore, ISO certification cannot be used to determine which areas in a company are actually certified. This is contrary to the requirements for data protection certifications in Article 42 GDPR.

Therefore, ISO 27701 certification is equivalent to the entire company being GDPR compliant. However, it can be a first basis for a later GDPR audit, as it covers the most important requirements for the processing of personal data.

Are you concerned about protecting your customers' data? Contact us and we will help you find a secure GDPR compliant solution!