Last Updated on March 16, 2023
The new ISO 27701 standard allows companies to extend their current ISO 27001 Information Security Management System (ISMS) to cover data privacy. This can be an excellent way to show customers, investors, regulators, and other stakeholders that you have a strong privacy program.
But does achieving ISO 27701 certification “automatically” make you compliant with important privacy legislation like the EU’s GDPR and California’s CCPA? Or even close?
To unpack some of the “learning opportunities” from Pivot Point Security’s initial audit experiences with ISO 27701 customers, a recent episode of The Virtual CISO Podcast features our full-time GRC consultants Aurore Watts and Andrew Frost. John Verry, Pivot Point Security’s CISO and Managing Partner, hosts the show as usual.
As John points out, ISO 27701 does not mandate that you include your HR data in the scope of your Privacy Information Management System (PIMS). This choice alone could derail your GDPR or CCPA compliance, at least as regards your internal data.
“ISO 27701 is really about providing a framework for privacy principles,” clarifies Aurore. “So, you’re going to have some controls that are specific to those local privacy laws that you’re going to have to plug into the different controls [within ISO 27701]. Sometimes, our clients say, ‘I want to be ISO 27701 certified so I can pretend to be GDPR or CCPA compliant.’ But if you want to comply with all those different privacy laws, we will have to look at making the scope much bigger, and also adding more controls.”
“Basically, [with ISO 27701] you’re setting up a framework and a management system that allows you to add other management systems or other requirements into it, but you’re not necessarily including all those requirements,” adds Andrew.
The flip side is that ISO 27701, while not prescriptive, is extremely flexible to your needs. If you define the scope of your PIMS to encompass the controls needed for compliance with GDPR or other prescriptive legislation, then achieving certification would mean you had also attained compliance with that legislation.
Can your ISO 27701 PIMS accommodate compliance with both GDPR and CCPA? How similar are the two laws?
John asks, “Are they close enough that by doing a core set of things I could almost achieve compliance with both of them? Or are they sufficiently disparate that I’d have a lot of work to do both versus one?”
“There are a lot of similarities” Aurore acknowledges. “But because there are some differences, you will have additional work to do to achieve both. To give you an example, GDPR will ask that you justify with legal grounds that … you can process personal data. So, you have to pretty much [get] prior consent. CCPA is all about providing the opt-outs: ‘Do not sell my data.’ So, just different approaches.”
If you’re building a roadmap to privacy compliance for your organization, this frank discussion with Andrew Frost and Aurore Watts is just the kind of expert guidance you’re looking for.