The implementation of a comprehensive information security system is required as part of data protection compliance under the GDPR and Data Protection Act 2018.
In terms of information security, the internationally recognised ‘gold standard’ certification is ISO 27001. The certification requires, among other detailed and stringent obligations, the development of Information Security Management Systems (ISMS) which sets out the obligations which the business places both on itself and its staff in respect of information security.
There is, however, currently no equivalent certification focused on general privacy management and data protection compliance. ISO 27701 fills this gap and provides a new certification framework to demonstrate compliance with the data protection regime.
ISO 27701 operates as an extension of ISO 27001 and it does this by imposing certain additional privacy requirements. Key among the additional obligations is a requirement to develop, implement and maintain a Privacy Information Management System (PIMS).
The PIMS must effectively deal with privacy management and place obligations on controllers and processors in line with the GDPR. The ISO envisages the PIMS sitting alongside the existing ISMS (produced for ISO 27001 certification) and so a complete overhaul of any existing ISO 27001 compliant system should not be required.
What are the benefits?
There are a number of benefits to obtaining ISO 27701 certification, including:
- the certification can be cited when dealing with clients, customers, suppliers or partners when questions about data protection compliance are asked
- it provides Data Protection Officers a framework to work within, giving structure to data protection compliance processes
- the certification can be actively worked towards in conjunction with ISO 27001.
Furthermore, should the UK become a ‘third country’ for data transfers, the ICO could potentially recognise such certification under Article 46 of the GDPR making it a formally recognised ‘appropriate safeguard’ for the transfer of personal data outside of the EEA.
How to get ISO 27701 certified
ISO 27701 has been designed as an extension of ISO 27001 and so an existing ISO 27001 certification is required. If your business does not already have an ISO 27001 certification then it may be beneficial for both the ISO 27001 and 27701 certifications to be worked towards simultaneously. For more information please visit: www.iso.org
This article is from the December 2019 issue of Upload, our newsletter for professional with an interest in technology. To download the latest issue, please visit the newsletter section of our website.
To keep up-to-date with the latest news, legal updates and seminar information, please register and select the areas that are of interest to you.
The content of this article is for general information only. It is not, and should not be taken as, legal advice. If you require any further information in relation to this article please contact the author in the first instance. Law covered as at December 2019.