Is ISO 27701 certification the key to GDPR compliance?

In response to the societal need to protect privacy through the regulation of personal data processing (hereinafter DCP), the International Organization for Standardization (ISO), and the International Electrotechnical Commission (IEC), published in August 2019 the ISO 27701 standard entitled “Security techniques — Extension of ISO/IEC 27001 and ISO/IEC 27002 to privacy management - requirements and guidelines”.

Of international scope, this standard is adapted to the laws on the protection of personal data in various countries such as the LPD of Brazil. However, this standard is not mandatory but remains certifying.

Its purpose is therefore the supervised implementation of a Privacy Protection Management System, in English Privacy Information Management System (hereinafter PIMS), a false twin of the Information Security Management System (hereinafter SMSI) from which it is derived. PIMS is the set of organizational and technical measures to achieve an objective and maintain it over time. It is based on three pillars: the risk-based approach, continuous improvement and audit (which involves documentation and traceability). The scope of PIMS and the WSIS are nevertheless distinct, and should not be confused.

The ISMS defined in ISO/IEC 27001 was designed to allow the addition of sector-specific requirements without the need to design a new management system. It also allows a management system combined with PIMS. The PIMS is therefore an SMS “Privacy” so to speak.

When it comes to personal data, the requirements for its protection vary between national laws and companies. Therefore, the standard requires the consideration of these laws and contexts on the one hand, and the correspondence with the privacy principles and framework defined in ISO/IEC 29100, ISO/IEC 27018, ISO/IEC 29151 and the GDPR. However, although there is an undeniable correspondence between the GDPR and ISO 27701, the 27701 certification standard does not correspond in any way to the certification provided for in article 42 of the GDPR. This standard is therefore a simple extension of recognized and proven international cybersecurity standards and one of the possible combinations with ISO/IEC 27001 and 27002.

Concretely, this standard provides the ISMS and the information security measures detailed in these two standards with a “privacy” component. This component proposes a framework for the implementation of a PIMS (Privacy Information System Management) and allows the integration of RGPD requirements into the ISMS; in short, to demonstrate to the supervisory authorities a certain level of maturity and compliance. One part is dedicated to PIMS-specific requirements related to ISO 27001, another gives PIMS-specific recommendations related to ISO 27002. To these are added two additional recommendations from ISO 27002 for data controllers on the one hand and for subcontractors on the other hand. She insists on critical DCP security issues such as encryption, access management, data backup and incident management, contract security, etc.

The ISO 27701 standard also complements the phases of understanding the context and planning defined in ISO 27001. In short, when defining PIMS, the organization must determine its qualification (RT or ST) and describe the treatments of DCP but also carry out (separately or concurrently) an assessment of risks relating to DCP (AIPD); in addition to an assessment of information security risks. In addition, the declaration of applicability must present the necessary measures and their justifications (Annex A and B of ISO 27701). This statement is the direct link between RGPD and ISO 27701.

Thus, this standard is aimed at all organizations processing personal data regardless of size, sector of activity or nationality, whether the organization is a data controller, a subcontractor or a party to a subsequent subcontractor.

It therefore constitutes the essential requirement framework for any organization wishing to manage legal requirements relating to the protection of personal data through a management system that structures the compliance process on a sustainable basis.

Its objective is therefore to give companies a common denominator, especially in the choice of their partners through certification. In this sense, this standard facilitates digital trust between businesses and users, which therefore becomes a reference for the market and therefore a significant compliance index in commercial relationships. In addition, it makes it possible to demonstrate the commitments made to data protection and attests to a certain level of compliance, in particular with the RGPD, to supervisory authorities such as the CNIL or the EDPS. In this respect, it is not in itself a proof of compliance with the GDPR but a significant indicator. In addition, the certification of the 27701 implies a 27001 certification, since these are related. This therefore represents an investment for businesses; which, depending on the level of maturity, can prove to be both useful and additional to the amounts invested in GDPR compliance.

This reasoning also applies to the recommendations issued concerning the appointment of a point of contact as well as the appointment of a person responsible for the governance and privacy program. This therefore implies that the PIMS project manager must be competent in the field of information security and the protection of privacy; or be competent in both legal and technical issues. Businesses with a DPO are likely to add responsibility for the privacy protection component of a PIMS, in the same way that a CISO will be responsible for the information security component of an ISMS.

In conclusion, ISO 27701 certification is a business asset for companies, which can therefore sign their contracts with confidence with the certified service provider, which meets the requirements in terms of data protection/privacy; it is also an indicator of the company's level of compliance maturity, but it does not in any way exclude full, total and complete compliance with the GDPR in its own right.

Sources:

• Standard ISO/IEC 29100:2011 Information technology — Security techniques — Private framework
• ISO/IEC 29101:2018 Standard Information technology — Security techniques — Privacy architecture framework
• Standard ISO/IEC 29134:2017 Information technology — Security techniques — Guidelines for assessing privacy impacts
• Hs2 synthesis https://www.hs2.fr/wp-content/uploads/2020/10/Article-Amelie-Paget-NORMES.pdf
  ISO/IEC WD 27558 standard: https://www.iso.org/fr/standard/71676.html
  ISO 27701, an international standard for the protection of personal data: https://www.cnil.fr/fr/liso-27701-une-norme-internationale-pourla-protection-des-donnees-personnelles