No matter the size of your organisation and whether it is a controller or a processor, your organisation should consider pursuing ISO 27701 certification.
The European Union’s General Data Protection Regulation (GDPR), introduced a new era of privacy regulatory and compliance globally. The UK’s own Data Protection Act has been modelled after the GDPR. As a result, organisations must implement policies and procedures to assure compliance with privacy regulations. Also there is a rapid rise in digital transformation where data collection and processing are increasing dramatically. The growth in data volume and regulatory requirements for data makes compliance harder for organisations.
The new international standard ISO/IEC 27701 Privacy Information Management System, helps organisations reconcile privacy regulatory requirements. The standard outlines a comprehensive set of operational controls that can be mapped to the various regulations. Once mapped, the standard’s operational controls are implemented by privacy professionals and audited by internal or third-party auditors resulting in a certification and comprehensive evidence of conformity.
Compliance challenges
Certifying against ISO 27701 will be effective for establishing responsible privacy practices by suppliers and partners no matter the size of your organisation. ISO 27701 addresses three key compliance challenges:
- Too many regulatory requirements to mange: Reconciling multiple regulatory requirements through the use of an universal set of operational controls enables consistent and efficient implementation.
- Too costly to audit regulation-by regulation: Auditors, both internal and third party, can assess regulatory compliance using a universal operational control set within a single audit cycle.
- Promise of compliance without proof is potentially risky. Commercial agreements involving movement of personal information may need certification of compliance.
Too many regulatory requirements to juggle
ISO 27701 includes an annex containing the operational controls of the standard that are mapped against relevant requirements in GDPR for controllers and processors. This mapping is just an example of how privacy regulations can be implemented with the ISO framework. As additional mappings with other regulations become available and are validated, the operational controls from the standard can be transferred from regulatory review to implementation. This universal framework allows organisations to reliably manage the relevant regulatory requirements easily.
Too costly to audit regulation-by-regulation
As more privacy regulations come into force in various jurisdictions, the pressure to provide evidence of compliance also increases. But the costs of disparate regulatory certifications become prohibitive if every regulation calls for its own unique audit. By outlining a set of universal operational controls, ISO 27701 outlines a universal compliance framework to audit against, and potentially certify, for multiple regulatory requirements. ISO standards can overlap and work together.
An official GDPR certification requires further approval decisions to be made by the European regulators. While the alignment between ISO 27701 and GDPR is evident, an ISO 27701 certification should be taken as evidence of GDPR compliance, not as an official GDPR certification until regulatory decisions are finalised.
Promises of compliance without proof is potentially risky
Modern organisations engage in complex data transfers with a deep network of business partners including partner organisations or co-controllers, processors such as cloud providers, and sub-processors such as vendors who support those same processors. Failure to comply with regulations in any part of this network may lead to cascading compliance issues across the supply chain. This is where a verification of compliance can be valuable beyond the assurance provided by contractual terms between these organisations. Since the global economy dictates that most of these organisations are spread out around the world, it is practical to use an international standard from ISO to manage compliance across the network.
This reliance on compliance increases the importance of certification to the standard. While not all companies and organisations need to earn such certification, most will benefit from partners and vendors who do, especially when sensitive or high volumes of data processing are involved.
Building blocks of the standard
ISO 27701 is built on top of one of the most widely adopted international standards for information security management, ISO 27001. If your organisation is already familiar with ISO/IEC 27001, it is logical and more efficient to integrate the new privacy controls of ISO 27701. This means the implementation and audit of both will be less expensive and easier to achieve.
No matter the size of your organisation and whether it is a controller or a processor, your organisation should consider pursuing certification, either for your own organisation, or requesting it from vendors or suppliers based on your business requirements. This applies especially for processors, sub-processors, and co-controllers that are processing sensitive or high volumes of personal data. In any case, your organisation should assess its business needs to determine if certification for its own products and services is suitable.