ISO 27701 Offers Data Processors a Roadmap to GDPR ‘Sufficient Guarantees’

November 3, 2017

If your company processes personal data of EU citizens, you need to be in compliance with the General Data Protection Regulation (GDPR).

Will you be prepared to offer “sufficient guarantees” to your customers that collect that personal data? If not, you could face stiff penalties for noncompliance (up to 4 percent of annual global revenue or €20 million).

The true death blow, though, would be the loss of critical business relationships on which your business depends.

What will it take to provide the comfort your customers will soon be asking for? It may be more achievable than you thought. A roadmap already exists that can guide your organization in the development of an information security program to achieve the objectives of GDPR.

Look to ISO/IEC 27701 Certification to Facilitate GDPR Compliance

Building on ISO 27001’s acceptance as the international standard for information security management systems (ISMS), ISO/IEC 27701 is the first international data privacy certification framework. ISO 27001’s requirements for the Information Security Management certification were already in alignment with the organizational requirements required by GDPR. But, ISO 27701 is exquisitely designed to meet the technical and organizational requirements called for by GDPR.

Even though the Article 29 Working Party has yet to fully define the GDPR certification scheme, the characteristics of a risk management program that would provide sufficient guarantees of privacy and security of data are well-defined within GDPR.

Article 32 describes how a risk management program should be designed, referencing well-known and accepted information risk management principles:

“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk… the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk…”

The article goes on to list some specific examples of measures that should be considered “as appropriate,” such as pseudonymisation and encryption of personal data. Note that the word “appropriate” appears three times in this single sentence about security of processing. How do you know what is appropriate?

ISO 27005—a subset of ISO 27001—answers this question by defining a formal process for assessing information security risk. Where appropriate, this risk assessment can be expanded to encompass a Data Protection Impact Assessment, as called for in GPDR Article 35.

Because the criteria defined by GDPR and ISO 27001 and now ISO 27701 align so closely, any organization that achieves an ISO 27001 and ISO 27701 Information Security Management System certification will be in a strong position to easily achieve GDPR certification (when it is defined). Even more critical for data processers, the certification will position you to provide sufficient guarantees to the organizations for whom you process data.

You do not have the luxury of waiting for the dust to settle. If you have not already, get familiar with the requirements of GDPR and ISO 27001. Then assess your organization’s readiness to meet these criteria and provide those all-important “sufficient guarantees.” Contact Dan Schroeder for guidance in evaluating your readiness.