“Data are the new oil” is no longer a new sentiment. This has become the reality for individuals, organizations and entire countries since the adoption of digital transformation throughout the last 15 years. After the enforcement of the EU General Data Protection Regulation (GDPR) in 2018, which I consider the mother of all modern data privacy laws and regulations, states and countries around the globe are either adopting existing data privacy laws or creating their own. According to a 2021 report, 133 jurisdications around the world have enacted omnibus data privacy laws. Throughout the last several months, many countries have announced and enforced data privacy regulations. For example, China enacted the Personal Information Protection Law (PIPL), Saudi Arabia approved a personal data protection law that will come into effect in March 2022, the United Arab Emirates (UAE) has just recently published the UAE Data protection Law that introduces major changes to data protection in the UAE.
Organizations are also concerned about how to demonstrate data privacy compliance to their customers and end users to increase trust and assure them that they are compliant with required laws and regulations. Data privacy laws and regulations can only ensure compliance through assessments; there is no certification mechanism in place compared to management systems certifications. However, the International Organization for Standardization/International Electrotechnical Commission’s (ISO/IEC) 27701 can be used to demonstrate privacy data compliance and certification. ISO/IEC 27701 was released in late 2019 and it seeks to provide a truly international approach to privacy protection as a component of information security. ISO/IEC 27701 is a Privacy Information Management System (PIMS) standard that lays out a detailed set of operational checklists that can be adapted to a variety of regulations, including GDPR. It is built on and is an extension of ISO/IEC 27001, which means that organizations intending to implement ISO/IEC 27701 certification must be ISO/IEC 27001-accredited or complete both standards simultaneously.
ISO/IEC 27701 helps companies maintain an effective privacy and information security system and reduce privacy risks. ISO/IEC 27701 is an impressive way of demonstrating to consumers, external organizations and internal stakeholders that mechanisms are in place to keep data safe and to comply with GDPR and other privacy laws. The standard contains an annex that gives an indicative mapping between provisions of ISO/IEC 27701 and articles 5 to 49 (except article 43) of GDPR. It shows how compliance with the requirements and controls of this document can be relevant to fulfilling the obligations of GDPR.
It is worth noting that both ISO/IEC 27701 and GDPR have many overlapping goals. Both aim to strengthen data privacy and focus on the process of obtaining, managing and protecting data. They both provide guidance on data confidentiality and protection, emphasize risk assessment, hold companies accountable for data breaches and advise that companies keep accurate records. However, the two standards differentiate in their application. For example, GDPR does not provide any technical details about how organizations should secure and implement data protection controls and how to enhance their security measures. ISO/IEC 27701 fills this gap and provides measures that companies can adopt to reduce any security threats. To put it another way, GDPR identifies requirements and ISO/IEC 27701 offers solutions. The following are some of the most notable similarities between GDPR and ISO/IEC 27701:
Conclusion
Privacy laws have never been as important as they are today, now that data travel the world through borderless networks. 2022 will be an exciting year for privacy legistation as several notable privacy laws will be enforced. Cross-border transfers are likely to be one of the notable compliance issues tackled by legislative bodies and data protection authorities to ensure the regularization and normalization of data transfers between countries.
At the same time, it is very important to understand the difference between complying with a regulation such as GDPR and being management system-certified in standards such as ISO/IEC 27701. Regulations and management system certifications are not interchangeable. Being ISO/IEC 27701-certified is not the same as being compliant with GDPR or any other data privacy regulation. It is not enough to comply with one and ignore the other. Data privacy regulations in general are a much broader set of rules and guidelines; however, when organizations comply with ISO/IEC 27701, it provides them a clear pathway for GDPR compliance as well. Together, these two standards can help enterprises develop strong measures to safeguard the personal information and data they collect.
Hafiz Sheikh Adnan Ahmed, CGEIT, COBIT 5 Assessor, CDPSE, GDPR-CDPO, ISO/IEC 27701 Lead Implementer and Lead Auditor, Lead Cloud Security Manager
Is a governance, risk and compliance (GRC), information security and IT strategy professional with more than 16 years of industry experience. He serves as a board member of the ISACA® United Arab Emirates (UAE) Chapter, IAPP Knowledge Net Chapter Chair, and volunteers at the global level of ISACA in different working groups and forums. He is a Microsoft Certified Trainer, a PECB Certified Trainer and an ISACA-APMG Accredited Trainer.
He can be reached via email at adnan.gcu@gmail.com and LinkedIn (http://ae.linkedin.com/in/adnanahmed16).