When the European General Data Protection Regulation (GDPR) was introduced in May 2018, there was a great deal of hustle and bustle here in Switzerland, and it will be just the same with the revision of the Swiss Data Protection Act (DSG). But let's be honest, there are still many companies that are looking for practical ways to prove that they are complying with the data protection requirements in force. What is it like for you? ISO/IEC 27701 was published in August 2019 as a standard for providing evidence that data protection regulations have been implemented. Is this standard the answer? In this article, we will be taking a closer look!
Think of data protection as an add-on to the ISMS
First of all, do I mean ISO 27701? Yes, we haven't made a mistake. This article is primarily about the ISO/IEC 27701 standard, not the ISO/IEC 27001. But what is it all about? ISO/IEC 27701 defines the requirements for introducing, maintaining and continuously improving a PIMS (Privacy Information Management System).
The standard is based on the requirements of ISO/IEC 27001 and contains a number of data protection-specific requirements, controls and control objectives. Therefore, you could say that ISO/IEC 27001 has “just” been expanded to include explicit data protection. This is why the new standard refers to “information security and data protection” instead of “information security”. But that is not all, of course – there are also numerous additions to its content. So, when considering the company's context, it is explicitly required that the relevant data protection laws, as well as relevant court decisions, be taken into account. Aspects relating to the processing of personal data must also be taken into account when assessing risk.
ISO/IEC 27701 is strongly geared to the GDPR
In addition to this, the ISO/IEC 27701 standard contains additions to ISO/IEC 27002, which is the guideline for the implementation of measures from Annex A of ISO/IEC 27001, specifically these additions:
- The expansion of the guidelines to include aspects of data protection
- The appointment of an officer with responsibility for data protection
- The appointment of an officer responsible for the “Privacy Information Management System”
- Data protection training for employees (staff awareness)
- The encryption of personal data, e.g. health-related data
- The observance of the “Privacy by Design” principle
- Reviewing of security incidents involving data breaches
The examples are closely associated with the GDPR. This is also reflected in the annexes of the ISO/IEC 27701 standard. There you will find a detailed table1 showing the ways in which the measures relate to GDPR requirements. The measures make it clear to what extent the EU GDPR has influenced the standard as an international standard for data protection.
ISO/IEC 27701 is not a certification standard
Articles 42 and 43 of the GDPR govern the conditions under which data protection certifications are permissible and the requirements that certification bodies have to fulfil. A closer look at Article 43 shows that data protection certifications are only possible on the basis of ISO/IEC 17065 (certification of products and processes). This means that unfortunately, certifications for data protection management systems are excluded. But nevertheless, it makes sense to implement ISO/IEC 27701, because conformity is of the utmost importance for the economy. However, it is not just beneficial for marketing purposes, thereby giving a competitive advantage, but it also reduces the company's or senior management's liability in the event of potential infringements and sanctions made by the supervisory authorities.
But that is not all. Under Article 32 of the GDPR, companies are obliged to establish a management system for processing personal data. In the interests of boosting efficiency, it makes sense to introduce a management system for all information – regardless of whether it is personal or not and whether it is in digital or paper form. A data protection management platform such as the HiScout GRC Suite is able to deliver valuable services in this area, and assists you with fulfilling your documentation obligations under the GDPR. You can also carry out data protection impact assessments, maintain the processing activity directory and create authorisation and deletion concepts. A platform like this is the ideal basis for maintaining your Information Security Management System (ISMS) in accordance with ISO/IEC 27001 and for supporting the next step of expansion to a PIMS in accordance with ISO/IEC 27701.
ISO/IEC 27001-certification as the basis
ISO/IEC 27001 defines the requirements for an ISMS and is a risk-based approach that incorporates people, processes and technology. Independently accredited certification provides stakeholders with the assurance that data has been made appropriately secure by the certified company. At the same time, companies that have implemented ISO/IEC 27001 can use their ISMS to broaden their security efforts to take in privacy management – including the processing of personal data / PII (Personally Identifiable Information). This can help companies to demonstrate that they have taken the appropriate measures to comply with data protection laws such as the GDPR or the DSG.
On the right track with ISO/IEC 27701
Even though ISO/IEC 27701 does not offer “GDPR certification” in accordance with GDPR, it does provide the possibility of making it easier to prove that personal data is handled in compliance with the GDPR. In spite of its closeness to ISO/IEC 27001 in terms of content, introducing ISO/IEC 27701 in a company entails additional costs. When implementing it, it is often possible to fall back on guidelines, processes and documentation that already exist within the company. Nevertheless, there are still some stumbling blocks that need to be removed.
ISO/IEC 27701 not without ISO/IEC 27001
Unfortunately, neither the DSGVO/GDPR nor the ISO/IEC 27701 contains recommendations for best practice on implementing the specifications. Obviously, this is intended to prevent them from becoming obsolete, as best practices and new technologies are being developed – but they would be helpful nonetheless.
However, both standards are still closely related. Chapters 5 and 6 of the ISO/IEC 27701 standard contain numerous requirements which refer to ISO/IEC 27001/2 – some of them directly, some with certain differences. For example, data protection risks should be treated in the same way as information security risks (chapter 5.4). In addition, the support that includes resources and communication (5.5), the operational aspects (5.6) as well as the evaluation of performance (5.7) and continuous improvement (5.8) is to be implemented in the same way as in Chapters 7-10 of the ISO/IEC 27001 standard.
Chapter 6 of ISO/IEC 27701 also adds specific privacy requirements to the existing information security controls found in ISO/IEC 27002. Two important topics are:
- The protection of test data. Personal data should not be used for testing purposes (ISO/IEC 27002 control 14.3.1).
- The management of information security incidents. Here, the internal responsibilities for managing security-related incidents that may lead to breach of personal data are to be defined (at the technical level; notification of the authorities; notification of the persons concerned).
Chapters 7 and 8 contain guidelines for GDPR compliance checks for controllers and processors of personal data. They cover topics such as:
- Legal basis for the processing of personal data
- Managing consent
- Data Protection Impact Assessments (DPIA)
- Agreements on data processing
- Facilitation of the rights of the data subjects
- Implementing the principles of “Privacy by Design” and “Privacy by Default”
- Data export to third countries
So these additions to the data protection-related requirements also form the basis for expanding the ISMS into a data protection management system or PIMS. This clearly shows that companies which already have a structure and processes in place to provide support with compliance with the requirements of the GDPR will find the transition to ISO/IEC 27701 somewhat easier. It is important, however, to ensure that the processes are implemented effectively and within the scope of the ISMS.
Do you have any questions or hesitation regarding data protection?
This much is clear – ISO/IEC 27701 is not a waiver that facilitates proof of compliance with data protection by simply presenting a certificate. Still, the ISO/IEC 27701 standard makes an important contribution to pragmatic, effective data protection. This is indispensable in the age of digitalisation, because successful digitalisation demands the involvement of data protection, making it is an issue of strategic importance for all companies.
However, implementing the requirements of the Swiss Data Protection Act (DSG) and the European Data Protection Ordinance (GDPR) is a challenge – irrespective of ISO/IEC 27001 and ISO/IEC 27701. Get some assistance! Our data protection experts at InfoGuard will assist you with all aspects of these topics – from questions about data protection requirements, analysis, defining strategies and concepts, to raising awareness and implementation.
1: Annex D illustrates the provisions of ISO/IEC 27701 in comparison to the General Data Protection Regulation (GDPR). Annex E maps the provisions of ISO/IEC 27701 against ISO/IEC 27018 and ISO/IEC 29151. Annex F provides guidance on the application of ISO/IEC 27701 against ISO/IEC 27001 and ISO/IEC 27002.