Data protection and ISO 27701 certification 

Since the GDPR came into force in 2018, many things have changed in data protection. Additional requirements for companies apply. Non-compliance can result in sales-related penalties in the millions. Most recently, therefore, the need to introduce a separate data protection certification became very high in expert circles.

ISO certification can help ensure that companies comply with relevant data protection regulations. Now, companies are to obtain ISO 27701 certification in data protection and thus demonstrate the highest level of data security.

But has this been achieved? What does ISO say about data protection? And how exactly does ISO 27701 certification work? – We answer these and other questions in this article.

The most important facts at a glance 

• ISO certification is intended to be used as evidence to demonstrate that personal data is processed in compliance with the GDPR. 
• ISO 27701 complements ISO 27001 and 27002, particularly concerning management systems and data processing. 
• Certification is beneficial if an ISMS system is already in place and only needs to be supplemented.
• The most crucial advantage of such a certification is that it allows companies to meet EU legal requirements and an internationally recognized certification. 

Why data protection certification?

The topic of data protection has taken on a much more significant role than ever before. Therefore, the desire for a specific data protection certification has been expressed by many parties.

This certification should take into account the regulations of the GDPR and make it easier for companies to integrate legally compliant data protection management into their business processes. ISO 27701 is intended to fulfill this wish as a corresponding certification.

Good to know: Such certification is also explicitly provided for in Art. 42 of the GDPR. 

What is the difference between ISO and ISMS? 

ISO certification is a standard that is intended to demonstrate compliance with regulations in the area of data protection, among other things. Thus, ISO 27701 complements an information security management system (ISMS for short).

Many companies that already use an ISMS only need to integrate the ISO requirements into their existing system and expand the processes. For example, the obligation to report security and data protection incidents defined by the GDPR can be integrated into the ISO processes and handled automatically. The sophisticated ISO system also enables more efficient processing records.

What is ISO? 

ISO is the abbreviation for International Organization for Standardization, which has set itself the task of establishing uniform standards for products and services worldwide.

It is thus the international counterpart to the German Institute for Standardization (DIN), representing Germany at ISO. Since its foundation in 1947, the Swiss organization has already published 24,000 standards in all areas of life.

For companies affected by data protection, the ISO standards from the 2700 series are particularly relevant. The 27xxx standards relate to information security and data protection. The leading standard and basis is always ISO 27001. In addition, several other ISO standards supplement or concretize ISO 27001 and provide industry-specific in-depth information.

Essential for the ISO standards are so-called management systems. These are described in DIN EN ISO EC 27000 chapter 3.2.5 as follows:

Important: A management system must be thought of and established in the organization for the long term. It requires continuous improvement, development, and control for the system to function in terms of ISO certification.

What is the difference between ISO and GDPR?

The GDPR is a regulation of the European Union (EU), which obliges all companies and authorities within the member states to comply with data protection law requirements. It is, therefore, a legal standardization that is not dispositive but mandatory to comply with.

On the other hand, the international ISO standard involves voluntary regulations for companies. They are guidelines, compliance with which can be certified, but the companies are not obliged by the state to comply with them. The situation is different if a company contractually commits to compliance, for example, with another contractual partner or in the case of certification.

In plain language: ISO standards only become legally binding when laws or regulations cite them or refer to them, and they thus become the content of the law.

But ISO standards are often used as a so-called “anticipated expert opinion” in court proceedings. It speaks for the company if it operates and complies with them.

What is ISO 27701 certification? 

ISO 27701 is a certificate for data protection management. It extends the internationally recognized standard regarding data protection and information security. The regulations are intended to ensure GDPR-compliant processing of personal data. Therefore, the focus is also on systematic requirements for data protection management systems that have information security as their object.

Certification with ISO 27701 requires that 27001 (Information Security Management System) requirements are met. In addition to ISO 27001, the new ISO standard also includes extensions to ISO 27002, which contains guidance on implementing the former.

ISO 27701 contains guidance on the following points:

• Enhancements to data protection
• Appointment and designation of persons responsible for the “Privacy Information Management System” (PIMS)
• Data protection training for employees
• Logging of accesses and changes to data or those authorized to access data
• Encryption of particularly sensitive personal data
• Incorporation of the “Privacy by Design” principle
• Review of data protection incidents

In terms of content, ISO 27701 thus establishes the link between data protection measures and information security by laying down rules for setting up, implementing, and improving the management of information on data protection. These systems are then verified and certified by certification bodies accredited by the DakkS (German Accreditation Body).

What are the benefits of ISO 27701 certification? 

To meet all legal and operational data protection requirements, it is now essential for companies to establish and operate a solid data protection management system.

As part of the ISMS standards, ISO 27701 certification contributes significantly to a proven high level of information security. This offers companies the advantage of integrating a comprehensive and secure management system for information security and data protection into their operations.

The following aspects of ISO 27701 certification are particularly noteworthy:

• Meeting the ISO standard as an international standard strengthens confidence in the company’s data protection. It is an internationally recognized proof of compliance with data protection regulations – not only in the European Union (EU).
• Once certified, it helps companies comply with the GDPR in the long term.
• ISO 27701 certification can also facilitate proof of GDPR-compliant data processing, simplifying contract negotiations, as no individual regulations are necessary.
• Certification clarifies responsibilities and accountabilities. It provides transparent criteria and regulations for all parties involved.
• It creates a link between ISMS and data protection management systems.

Data protection according to ISO 27701 

ISO 27701 has the same structure as ISO 27001 and extends it by implementing a management system for data protection. The standard adds data protection aspects to the guidelines and thus represents an extension of the existing ISMS in data protection management. 

In contrast to other ISO standards, ISO 27701 does not focus on information security but on protecting personal data and data subjects. The existing ISMS must therefore be expanded and supplemented to include protecting the affected groups of people.

On the one hand, data protection and information security are intertwined, but on the other hand, there must also be room for measures that exclusively serve data protection.

The most significant additions within ISO 27701 are summarized below.

Handling data protection incidents according to ISO 27701

ISO 27701 makes extended specifications for handling data protection incidents, which were previously regulated in ISO 27001 and ISO 27002.

• First, ISO 27701 requires that organizations designate clear responsible parties for identifying and documenting data protection breaches.
• Likewise, responsibilities and procedures regarding the notification of data subjects and the relevant authorities are defined, considering legal regulations.
• At the same time, it is necessary to review all internal processes and security incidents for data protection breaches and develop a reaction plan that is activated immediately when such a breach occurs.
• These plans and systems must also subsequently be incorporated into every contract with customers (i.e., potentially affected parties) and all other contractors so that all company actions participate in and are monitored against these plans.
• Companies should integrate these ISO 27701 regulations into their existing ISMS. The best way to do this is first to take a close look at the regulations on emergency prophylaxis and emergency management and, if necessary, add to them at the appropriate point.
• It should also be checked whether an IT security concept already exists in the company and whether processes should supplement it for response and reporting obligations. Not only should internal incidents be considered here, but also the effects of cyber attacks.

Data protection: Requirements for data subjects’ rights by ISO 27701

Data protection serves in particular to protect the data subjects. In addition to customers, this often includes suppliers, contractual partners, and employees. ISO 27701 stipulates that every company must specify exactly who the interested parties are (i.e., the parties that become relevant in the context of data protection). This includes the data subjects, the relevant supervisory authorities, etc.

The following should be noted:

• If possible, the data subjects should be named as precisely as possible.
• Here, too, it must be determined who is responsible for the data subjects’ rights (PII officer).
• On the one hand, the responsible parties must ensure that data subjects are adequately informed about the processing of their data and that they comply with all legal requirements.
• The Company or the Processor (PII Processor), on the other hand, is obliged to ensure that all legal, regulatory, and business obligations are taken into account and that the information about them gets communicated to the affected parties.
• In addition, all processing of personal data must be documented and mechanisms provided so that changes and revocations of consent to data processing can be processed.

How to achieve these goals is explained and listed in detail in ISO 27701.

ISO 27701: Rules on processing records 

Processing records are used to determine whether and which personal data are processed and to document these operations to protect the data adequately.

The regulations aim for data controllers to document and verify that data processing is legally legitimate and for clearly defined purposes. It is recommended to use the processing records according to Art. 30 GDPR for this purpose.

In addition, data controllers must define the measures they will take to meet this objective and create a list showing which data will be processed, how and for what purpose, and which actions will protect it.

Data protection impact assessments according to ISO 27701

As in the GDPR, data protection impact assessments are also mentioned in ISO 27701. In this context, ISO 27701 stipulates that companies must appoint someone internally responsible for the control and data protection measures. The GDPR designates these as “data privacy officers” who can take on monitoring and consulting activities and provide information about executed data protection impact assessments.

We have written a separate article on the scope of duties of data protection officers.

According to ISO 27701, the company must check which processing operations require a data protection impact assessment and then carry this out. This is particularly the case for specific categories of personal data, for example, if the processing of personal data involves an exceptionally high risk for the data subjects or because large volumes of data are being processed or systematic processing is to take place.

Regarding guidance on privacy impact assessments, reference is made to ISO/IEC 29134.

Is ISO 27701 the long-awaited GDPR certificate?

Companies still long for a certificate with which they can safely comply with all the regulations of the GDPR. The requirements for such a certification are explicitly regulated in Art. 43 GDPR.

An accreditation by certification bodies in the sense of ISO 17065 is required, but this is focused on the certification of products and processes. However, the new ISO 27701 and the basic standard ISO 27001 focus on the data protection management system and its requirements.

Strictly speaking, ISO 27701 does not comply with the GDPR’s provisions and, therefore, cannot be described as a certification in the sense of the GDPR.

This is due to the wording within the GDPR since management systems are also basically processes or function in a process-oriented manner. A GDPR certification based on ISO 27701 is therefore quite conceivable. It is also possible that ISO 27701 certification can be invoked as a standard to prove that personal data processes comply with the GDPR.

Fazit

Companies can use ISO 27701 certification to demonstrate on an international level that they meet a high-security standard. This strengthens the company’s competitiveness, simplifies contract negotiations with trading partners, and increases the trust of potential customers.

In terms of content, ISO 27701 is similar to the requirements of the GDPR on closer inspection. It is, therefore, easy for most companies to integrate into their ISMS system, primarily if this already exists according to ISO 27001.

Unfortunately, ISO 27701 certification does not directly satisfy the requirements for GDPR compliance, so it does not automatically provide comprehensive GDPR certification. Nevertheless, the certificate can be used well as proof of legally compliant data processing.