The GDPR explicitly provides the possibility of certification in Article 42 GDPR. Now, the International Organization for Standardization (ISO) has published ISO 27701, a standard for demonstrating compliance with data protection regulations.
With ISO 27701, the ISO 27001 policy has now been extended to include privacy considerations. What’s new?
- ISO now cares for information security and privacy
- Inclusion of relevant data protection laws and court decisions
- Extension of guidelines on aspects of data protection
- Appoint a person responsible for the Privacy Information Management System
- Privacy training of employees
- Logging of access and changes
- Encryption, e.g. special categories of personal data (e.g. health data)
- Consideration of the “Privacy by Design” principle
- Checking security incidents for data breaches
Once again, it becomes clear how closely data security and data protection are interconnected. Even though ISO 27701 is currently not a “GDPR certification” according to Article 42 GDPR, it remains exciting to see whether ISO 27701 will someday be as indispensable as other standards.