So, just when you thought the GDPR was all done and dusted, you hear that interminable phrase, “there’s a new ISO standard we need to conform with”.
Your heart sinks.
Your blood pressure rises.
Surely, all that hard work you put into complying with the GDPR was enough for now?
No, but there’s nothing to worry about, because this is your no-nonsense, jargon-free(ish) guide to ISO27701.
When did ISO27701 come into effect?
BS10012 was introduced last year and ISO27701 came into effect in August 2019 and, as you’re reading this, is applicable now.
Want to find out more detailed information directly from BSI themselves? If you fancy it, you can grab a copy from the BSI online store for £199.
The new standard, which was originally dubbed ISO27552 (clearly, the ISO parents weren’t keen on 27552 becoming a new addition to the family) is an extension to the existing ISO27001.
It’s therefore a confirmed member of a family of information security standards called ISO27*.
What is ISO27701 for?
ISO27701 defines the requirements for a Privacy Information Management System (PIMS) and works alongside its older sibling, ISO27001 the information security management system standard.
Privacy by Design or Default simply indicates a business that implements data protection policies and procedures throughout the entire organisation, and within every stage of the product process and sales journey.
If you adopt this new standard, it’ll help you demonstrate that you have strong policies and procedures in place that enable you to comply with the GDPR and other recognised data laws throughout the world.
Putting all the numbers and uninspiring names to one side, ISO27701 is a big deal. And, regardless of whether you’re a data controller or processor, if you can display those three letters and five numbers against your logo, your commitment to data privacy will be clear for clients and suppliers to see – as well as making you a better business.
What does ISO27701 recommend?
Just like many other ISO (or international) standards, ISO27701 recommends a risk-based approach to handling personal data.
This doesn’t mean you should assume a data breach is inevitable every minute of the day – it simply harks back to the Privacy by Design/Default mindset. Expect you’ll be targeted one day or that someone will make a mistake and the ISO27701 standard will help you ensure all the data you interact with is treated respectfully and securely and help to prepare you for when something does go wrong.
How does it differ from BS10012?
If you’re lucky enough to know about the BS10012 standard, you might be wondering how this new kid on the block differs. The letters ‘BS’ mean this is a British Standard
BS10012 enables businesses to demonstrate that they understand what the GDPR and UK Data Protection Act 2018 are all about. It tells onlookers that you’re aware of the latest data protection rules, understand them enough to embed them within your organisation and have been audited by an independent third party to prove it.
ISO27701 goes deeper than BS10012 and demonstrates world-wide compliance, but it’s not for every business.
So, which one is right for you? If your customers and partners are entirely UK-based, BS10012 should be just fine. If, however, you have an international audience, combining ISO27701 with ISO27001 will be a better solution.
What does the future hold for the ISO27701?
The ISO community wants ISO27701 to have a bright future. In fact, they’re expecting it to grow to become the world’s leading standard for every Privacy Information Management System. We are expecting this to feature in supply chain questionnaires, in the same way as ISO27001 and ISO9001 are requested today. If you already comply with the GDPR and have ISO27001 in place today, then adoption should be relatively straightforward.
Are you ready to comply with this new standard and want to get ahead of the competition? Or are you worried (read: ‘tired’) with yet another ISO relating to the GDPR? Get in touch – our team already know this stuff inside out and would be happy to help you.