ISO 27701 does not cover the GDPR out of the box

ISO 27701 has come along to add another management system into the ISO camp. With the creation of a Privacy Management System (PMS), the International Standards Organisation (ISO) is looking to provide a compliance framework for global privacy legislation and regulation.

There is a significant cost in evidencing compliance to any regulation, that most organisations simply do not have a requirement for. Whilst the GDPR applies to all organisations (with a few exceptions), only a relative few will go through the expense of proactively evidencing compliance. These relative few will be in heavily regulated industries such as Financial Services and Pharmaceuticals where the compliance evidencing requirement for other aspects of the organisation’s work are already undertaken and make this activity a necessity.

What do you get for your PMS investment?

The value of a PMS is to define the framework within which your specific GDPR controls will exist, how they work together to reduce the compliance risk, and how you monitor and improve those controls.

The value to a highly regulated organisation of a fully functional PMS is the ease with which compliance can be evidenced and structured. By linking the internal controls applied to the compliance requirements requested, a mapping can be shown that proves no gaps exist within the response provided by the organisation to their regulator.

ISO 27701 does not equal GDPR Compliance

ISO 27701 does not provide for the specific controls required by the GDPR. The ISO 27701 standard has to be generic so that it can easily be adapted to other privacy regulations as they come into force around the World.

The ISO 27701 standard has within it a fundamental framework of controls that can be applied generically to any privacy-related legislation and then provides the space for custom controls to be created for specific regulations.

When creating a PMS under ISO 27701, a mapping activity is required for each specific privacy legislation. You need to create a mapping of the regulatory requirements to the enforcing control you have provided within your organisation. This will show how the controls chosen to be part of the PMS, support the requirements of each individual regulation or legislation.

It is highly likely that a single control will provide privacy protection and risk reduction across a number of different privacy regulations. Having this controls mapping for each regulation in-scope of your PMS, allows a control to be designed once and applied to multiple regulations as required, whilst maintaining the linkage to each regulatory requirement that initiated the need for the control.

Populating the PMS with custom controls

Once you have created the PMS framework, you need to define and add the custom controls required by the GDPR. This is relatively straightforward. The GDPR is very specific in terms of the controls it expects to be put in place to protect personal data.

A distinction should be made within your PMS, between key and non-key controls. There is a lack of consensus across the compliance industry as to the definition of what constitutes a key control. For the purposes of this article, I will define a key control as a control whose failure will significantly increase your risk of non-compliance.

Within the GDPR, the key controls are commonly seen as the controls that will mitigate your risk of getting fined. The GDPR helpfully defines the control failures that will lead to a 2% and 4% fine respectively within the GDPR Articles.

A few hours of running through the recitals and Articles of the GDPR will give you an initial list of the controls and key controls that you need to put in place to ensure that your PMS covers the entire scope of the GDPR.

Don’t forget the recitals

At the start of the GDPR official text, there are 173 recitals before we step into the actual Articles of the GDPR. Do not ignore them. There are controls defined in the GDPR recitals that do not appear in the GDPR Articles.

As an example, the need for a Legitimate Impact Assessment (LIA) is described in recital 47 and is not explicitly mentioned in the Articles. If you just look at the Articles, you will not capture all the controls required to successfully cover the scope of the GDPR.

The custom list of controls that you have gathered can then be added to your implementation of ISO 27701 with the relevant mapping to the recitals and Articles in the GDPR.

The same exercise performed on the CCPA or any other Privacy legislation will give you layers of custom controls, many of which will be very similar. By introducing this mapping concept, you can ensure that controls are not duplicated across different legislative boundaries.

ISO 27701 certification does not mean GDPR Compliance

Do not assume that an ISO 27701 certification automatically means GDPR compliance. The only thing that an ISO 27701 certification shows is that the certified organisation has a functioning Privacy Management System. You would need to look carefully at the scope of the PMS to determine if GDPR controls are explicitly covered by it. These should be available as part of the Statement of Applicability issued with the ISO 27701 certification.

Leave a Comment

Your email address will not be published. Required fields are marked *