Towards a GDPR certification scheme: the ISO/IEC 27701
The international organization for standardization (ISO) and the international electrotechnical commission (IEC), in reply to many requests for certification schemes regarding the processing of personal information, have published a new important standard: the ISO/IEC 27701.
What is the purpose of the new ISO?
The new standard is part of the ISO 27000 family and represents a quality leap in the regulation of the data protection, because it gives companies some operating instructions about implementations of the GDPR. Finally, it is possible to consult a practical tool that allows you to check whether the personal data management system adopted in the Company complies with current legislation.
Can it be used as certification for the GDPR (ex art.42)?
During the design and development of the new ISO, many people believed that it could be used as a certification in accordance to the art. 42 GDPR, but at the moment it can only be used to certify a management system, and not a process, as required by the GDPR instead.
Right now, anyways, ISO/IEC 27701 is the most authoritative reference for implementing and evaluating all personal data protection measures and allows to achieve a high level of accountability.
Therefore the privacy information management system (PIMS) described by ISO 27701 allows to:
- demonstrate compliance with the GDPR and current regulations regarding the protection of personal data in respect with privacy by design and by default principles;
- generate trust towards customers and data subjects regarding the company’s ability to correctly manage personal data;
- define Roles and Responsibilities within the Organization;
- develop internal skills and sensitivity about personal data processing;
- improve company processes and avoid infringements of the regulations;
- have a system for managing data breaches and requests from data subject;
- take suitable measures to protect the personal data processed
It is also important to note that, probably, the new ISO will be submitted to the EDPB to evaluate a European certification scheme and could provide an important competitive advantage to those who have obtained it.
Who is it for?
The certification is aimed at all types of organizations, including (public and private) companies, government agencies and non-profit organizations both acting as owners and managers of data processing; in addition, those who have already obtained ISO / IEC 27001: 2013 certification can integrate their Information Security Management System (ISMS) with the PIMS adopted in accordance with the provisions of ISO 27701.