Since the GDPR came into force in 2018, many things have changed in data protection. Additional requirements for companies apply. Non-compliance can result in sales-related penalties in the millions. Most recently, therefore, the need to introduce a separate data protection certification became very high in expert circles.
ISO certification can help ensure that companies comply with relevant data protection regulations. Now, companies are to obtain ISO 27701 certification in data protection and thus demonstrate the highest level of data security.
But has this been achieved? What does ISO say about data protection? And how exactly does ISO 27701 certification work? – We answer these and other questions in this article.
The topic of data protection has taken on a much more significant role than ever before. Therefore, the desire for a specific data protection certification has been expressed by many parties.
This certification should take into account the regulations of the GDPR and make it easier for companies to integrate legally compliant data protection management into their business processes. ISO 27701 is intended to fulfill this wish as a corresponding certification.
Good to know: Such certification is also explicitly provided for in Art. 42 of the GDPR.
ISO certification is a standard that is intended to demonstrate compliance with regulations in the area of data protection, among other things. Thus, ISO 27701 complements an information security management system (ISMS for short).
Many companies that already use an ISMS only need to integrate the ISO requirements into their existing system and expand the processes. For example, the obligation to report security and data protection incidents defined by the GDPR can be integrated into the ISO processes and handled automatically. The sophisticated ISO system also enables more efficient processing records.
ISO is the abbreviation for International Organization for Standardization, which has set itself the task of establishing uniform standards for products and services worldwide.
It is thus the international counterpart to the German Institute for Standardization (DIN), representing Germany at ISO. Since its foundation in 1947, the Swiss organization has already published 24,000 standards in all areas of life.
For companies affected by data protection, the ISO standards from the 2700 series are particularly relevant. The 27xxx standards relate to information security and data protection. The leading standard and basis is always ISO 27001. In addition, several other ISO standards supplement or concretize ISO 27001 and provide industry-specific in-depth information.
Essential for the ISO standards are so-called management systems. These are described in DIN EN ISO EC 27000 chapter 3.2.5 as follows:
“A management system uses resources framework to achieve an organization’s objectives. The management system includes organizational structures, guidelines, planning activities, responsibilities, methods, procedures, processes, and resources.
For information security, a management system enables an organization to:
a) meet the security requirements of customers and other stakeholders;
b) improve its planning and operations;
c) meet its information security objectives;
d) comply with regulations, laws, and industry standards; and
e) manage information assets in an organized manner that promotes continuous improvement and alignment with current organizational goals.”
Important: A management system must be thought of and established in the organization for the long term. It requires continuous improvement, development, and control for the system to function in terms of ISO certification.
The GDPR is a regulation of the European Union (EU), which obliges all companies and authorities within the member states to comply with data protection law requirements. It is, therefore, a legal standardization that is not dispositive but mandatory to comply with.
On the other hand, the international ISO standard involves voluntary regulations for companies. They are guidelines, compliance with which can be certified, but the companies are not obliged by the state to comply with them. The situation is different if a company contractually commits to compliance, for example, with another contractual partner or in the case of certification.
In plain language: ISO standards only become legally binding when laws or regulations cite them or refer to them, and they thus become the content of the law.
But ISO standards are often used as a so-called “anticipated expert opinion” in court proceedings. It speaks for the company if it operates and complies with them.
ISO 27701 is a certificate for data protection management. It extends the internationally recognized standard regarding data protection and information security. The regulations are intended to ensure GDPR-compliant processing of personal data. Therefore, the focus is also on systematic requirements for data protection management systems that have information security as their object.
Certification with ISO 27701 requires that 27001 (Information Security Management System) requirements are met. In addition to ISO 27001, the new ISO standard also includes extensions to ISO 27002, which contains guidance on implementing the former.
ISO 27701 contains guidance on the following points:
In terms of content, ISO 27701 thus establishes the link between data protection measures and information security by laying down rules for setting up, implementing, and improving the management of information on data protection. These systems are then verified and certified by certification bodies accredited by the DakkS (German Accreditation Body).
To meet all legal and operational data protection requirements, it is now essential for companies to establish and operate a solid data protection management system.
As part of the ISMS standards, ISO 27701 certification contributes significantly to a proven high level of information security. This offers companies the advantage of integrating a comprehensive and secure management system for information security and data protection into their operations.
The following aspects of ISO 27701 certification are particularly noteworthy:
ISO 27701 has the same structure as ISO 27001 and extends it by implementing a management system for data protection. The standard adds data protection aspects to the guidelines and thus represents an extension of the existing ISMS in data protection management.
In contrast to other ISO standards, ISO 27701 does not focus on information security but on protecting personal data and data subjects. The existing ISMS must therefore be expanded and supplemented to include protecting the affected groups of people.
On the one hand, data protection and information security are intertwined, but on the other hand, there must also be room for measures that exclusively serve data protection.
The most significant additions within ISO 27701 are summarized below.
ISO 27701 makes extended specifications for handling data protection incidents, which were previously regulated in ISO 27001 and ISO 27002.
Data protection serves in particular to protect the data subjects. In addition to customers, this often includes suppliers, contractual partners, and employees. ISO 27701 stipulates that every company must specify exactly who the interested parties are (i.e., the parties that become relevant in the context of data protection). This includes the data subjects, the relevant supervisory authorities, etc.
The following should be noted:
How to achieve these goals is explained and listed in detail in ISO 27701.
Processing records are used to determine whether and which personal data are processed and to document these operations to protect the data adequately.
The regulations aim for data controllers to document and verify that data processing is legally legitimate and for clearly defined purposes. It is recommended to use the processing records according to Art. 30 GDPR for this purpose.
In addition, data controllers must define the measures they will take to meet this objective and create a list showing which data will be processed, how and for what purpose, and which actions will protect it.
As in the GDPR, data protection impact assessments are also mentioned in ISO 27701. In this context, ISO 27701 stipulates that companies must appoint someone internally responsible for the control and data protection measures. The GDPR designates these as “data privacy officers” who can take on monitoring and consulting activities and provide information about executed data protection impact assessments.
We have written a separate article on the scope of duties of data protection officers.
According to ISO 27701, the company must check which processing operations require a data protection impact assessment and then carry this out. This is particularly the case for specific categories of personal data, for example, if the processing of personal data involves an exceptionally high risk for the data subjects or because large volumes of data are being processed or systematic processing is to take place.
Regarding guidance on privacy impact assessments, reference is made to ISO/IEC 29134.
Companies still long for a certificate with which they can safely comply with all the regulations of the GDPR. The requirements for such a certification are explicitly regulated in Art. 43 GDPR.
An accreditation by certification bodies in the sense of ISO 17065 is required, but this is focused on the certification of products and processes. However, the new ISO 27701 and the basic standard ISO 27001 focus on the data protection management system and its requirements.
Strictly speaking, ISO 27701 does not comply with the GDPR’s provisions and, therefore, cannot be described as a certification in the sense of the GDPR.
This is due to the wording within the GDPR since management systems are also basically processes or function in a process-oriented manner. A GDPR certification based on ISO 27701 is therefore quite conceivable. It is also possible that ISO 27701 certification can be invoked as a standard to prove that personal data processes comply with the GDPR.
Companies can use ISO 27701 certification to demonstrate on an international level that they meet a high-security standard. This strengthens the company’s competitiveness, simplifies contract negotiations with trading partners, and increases the trust of potential customers.
In terms of content, ISO 27701 is similar to the requirements of the GDPR on closer inspection. It is, therefore, easy for most companies to integrate into their ISMS system, primarily if this already exists according to ISO 27001.
Unfortunately, ISO 27701 certification does not directly satisfy the requirements for GDPR compliance, so it does not automatically provide comprehensive GDPR certification. Nevertheless, the certificate can be used well as proof of legally compliant data processing.