The General Data Protection Regulation (GDPR) may have come into force in 2018 but 2019 was the dominating year for it. Last year, we saw companies put more effort into not only achieving GDPR compliance but into actively maintaining it. This is harder to do than it might seem — as just one mistake can result in a data breach. 2019 also saw the fist of the ICO fines for non-compliance with the 2018 Data Protection Act which incorporates GDPR into British law.
ISO launch of ISO 27701 for privacy
To give organisations a guiding hand, the ISO organisation launched ISO 27701 which is an extension to the world-renowned information security standard ISO 27001. This new extension specifies the requirements for a Privacy Information Management System (PIMS). It gives guidance for PII (Personally Identifiable Information) controllers and processors holding responsibility and accountability for PII processing.
Is ISO 27701 worth implementing?
The important thing here is that ISO 27701 is an extension to 27001. It’s not something you can implement on its own and in fact, you can’t be certified against ISO 27701 without having been certified against ISO 27001 first.
A lot of what ISO 27701 specifies is good practice but I’m not seeing a big demand to implement it amongst clients. The reason for this is largely down to the fact that outside of HR they don’t process an awful lot of personal data. They are just not seeing any commercial advantage from adopting the new extension on top of their ISO 27001 certification.
ISO 27018 also protects PII
In addition to the commercial considerations, there is also confusion as ISO already had ISO 27018 which is also all about protecting PII but it’s about protecting PII data in the public cloud. The other differentiating thing about ISO 27018 is that it is aimed at Cloud Service Providers looking to get an advantage over their competitors. A provider whose infrastructure is certified to ISO 27018 has a message for their existing and potential customers that their data is safeguarded and won’t be used for any purposes for which they don’t specifically give consent.
Here in Britain we also have BSI 10012 Personal Information Management System which you can implement and be certified against. It’s similar to ISO 27701 but doesn’t require ISO 27001 although it fits in well with it.
Coming back to the original question – ISO 27701: Will it be the new certification trend for GDPR? I think it will but only for organisations that process a significant amount of PII data. Other organisations may adopt parts of it but there isn’t a significant commercial driver once they have ISO 27001 certification to incentivise them to go for full ISO 27701 adoption and certification.