Organizations processing personal data often face self-assessments, vendor checklists or even on-site audits to ensure their corporate clients they are implementing adequate technical and organizational measures to guarantee secure processing of personal data. Demonstrating compliance with applicable data protection legislation has become a main topic in commercial contract negotiations. Such vendor assessments occupy internal resources and cause operational delay. That is why many (software) vendors are looking for structural solutions to minimize the operational impact and when certification comes in the picture.
1. ISO 27001 – the Information Security Management System
The ISO 27001 standard constitutes the most used security framework in the market, implementing an Information Security Management System (ISMS). Because of lack of more specific (popular) privacy standards, the ISO 27001 certification is currently often used to (high-level) demonstrate adequate technical and organizational measures (and privacy management in general). Having such certification is most of the time sufficient for clients as warranty and therefore reduces the operational impact for vendors when being audited (before or after a closed deal).
However the ISO 27001 certification is broadly used to prove sufficient security implementation and privacy management, the standard does not fully cover the requirements set out in the General Data Protection Regulation (GDPR). This is why additional standards or certification schemes are becoming more relevant to further regulate privacy management. These new privacy specific standards might result in ISO 27001 certification not being deemed sufficient anymore in the future to prove privacy management, resulting in companies looking into certification under ISO 27701 or British Standard 10012.
2. ISO 27701 – the Privacy Information Management System
The International Organization for Standardization (ISO) introduces a new international standard: ISO/IEC 27701 (Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines), as published in August 2019.
This standard is an extension to ISO 27001 and ISO 27002, and implements a Privacy Information Management System (PIMS) to organize management of privacy information on top of the existing ISMS. Both data controllers and data processors can use the standard for implementation of a PIMS.
Being certified under ISO 27701 gives your organization additional credibility when it comes to privacy management. Given the popularity of the ISO 27001 certification, we believe the ISO 27701 standard could become a commonly used standard for privacy management in the coming years.
3. British Standard 10012 – the underdog
As an alternative to the well-known ISO standards, there is the British Standard 10012. The British Standard 10012 refers to a Personal Information Management System (being slightly different from the Privacy Information Management System under ISO 27701), and was explicitly edited to guide organizations to GDPR compliance (which is different for ISO 27701 as this standard was designed to be regulation independent).
Similar to ISO 27701, certification under the British Standard 10012 demonstrates implementation of privacy management. Because the British Standard 10012 is less known in the market (depending on sector/territory), organizations should decide upfront which results they are looking for in being certified (and if the British Standard is the right choice).
4. ISO 27701 or BS 10012: which one to choose?
None of the standards mentioned above are currently recognized as certification scheme under article 42 GDPR, which leaves us to decide based upon other factors.
Depending on the territory of business, sector and potential certifications obtained in the past, businesses should decide which standard is the most suitable for their situation. Additionally, the data protection legislation your organization should comply with, will have an impact. Where the BS 10012 is GDPR (and UK Data Protection Act 2018) specific, the ISO 27701 is an international standard (regulation independent).
It is too early to conclude if and how Brexit will impact the popularity of one of the existing standards, but currently we expect the European market to opt for ISO 27701.
5. Which standard will become a certification mechanism under GDPR?
Article 42 GDPR sets out the principles of certification mechanisms. None of the standards mentioned above are currently recognized as prescribed in GDPR, however the market extensively uses them to prove sufficient implementation of security measures (and privacy management in general). There are currently no other (popular) options available.
We believe as soon as there exists a standard recognized as certification mechanism under article 42 GDPR, such standard will gain popularity fast.
6. What to remember?
1. Depending on sector, territory, and other variable factors, organizations should decide whether or not certifying under a specific privacy management standard is interesting for their business. If yes, they should do the exercise to decide which standard is most suitable for their specific situation.
2. Organizations must realize currently both ISO 27001/27002, ISO 27701 and BS 10012 certification as such are not officially recognized as certification mechanism under the GDPR.
3. Privacy professionals should further follow-up the evolution related to the different standards available. As soon as there is a certification mechanism recognized under GDPR, organizations might have to reconsider the implementation of such standard.
ISO 27701 – more information: click here
British Standard 10012 – more information: click here
ISO 27001 – more information: click here
Date: 04/01/2020