Last Updated on March 16, 2023
The EU’s General Data Protection Regulation (GDPR) is probably the most comprehensive privacy law on the planet. If your company does significant business in the EU, there is no more Privacy Shield agreement to hide behind, meaning you’ll probably need to demonstrate GDPR compliance.
Similarly, if you do business in Brazil, you’ll need to comply with that country’s General Data Protection Law (LGPD), which is similar in scope to GDPR. Singapore also has a strict privacy law, with major trading partners like India and China poised to follow suit. Then there’s the growing number of US state-level consumer privacy mandates, like California’s CCPA (now amended as CPRA) and Virginia’s VCDPA.
What can organizations do to reduce the complexity of managing and proving compliance with GDPR and other overlapping privacy regulations? Is an ISO 27701 “privacy extension” to an ISO 27001 certified information security management system (ISMS) the answer? What benefits could ISO 27701 provide?
To discuss specific options and implications for privacy certifications based on cost and other key factors, a recent episode of The Virtual CISO Podcast features Jason Powell, GRC and Privacy Consultant at Pivot Point Security. Hosting the show is John Verry, Pivot Point Security’s CISO and Managing Partner.
ISO 27701 helps you prove GDPR compliance
An ISO 27701 certification does not automatically equal compliance with GDPR or any other privacy law. But, as John puts it, “Perception is reality. And when you hand somebody an ISO 27701 certificate and it says GDPR in the scope statement, they perceive that as being GDPR compliant.”
By defining GDPR and/or CCPA compliance as within the scope of your ISO 27701 privacy information management system (PIMS), you’re not only establishing a compliant privacy framework—you’ve also got an internationally respected, third-party attestation of that compliance that you can show to regulators, clients and other stakeholders. This can have considerable marketing and client acquisition value, while potentially streamlining regulatory compliance procedures.
ISO 27701 can streamline privacy processes
In a perfect world, every SMB would have a dedicated privacy officer independent of their cybersecurity team. But it’s far more likely that a cybersecurity person will be tasked with managing the PIMS on top of security duties. ISO 27701 can help support that dual role by streamlining the joint privacy/security controls and procedures.
“What ISO 27701 does is consolidate my [ISO 27001] information security management system into an information security and privacy management system,” John asserts. “I may build a GDPR compliant program. But if it isn’t operationalized—if I don’t have any way of making sure that we’re doing the things we want to do—and I have only an information security guy running it, it might not happen.”
“So, you might also have some value with adding ISO 27701, just because the management system will ensure that people are looking at it, that risk assessments are being updated, etc.” John emphasizes. “I think it provides some compliance operationalization value.”
This could not only save considerable labor and effort, but also reduce compliance/audit and reputational risk.
The value of ISO 27701 is what you make it
In Jason’s view, the business value of an ISO 27701 certified PIMS depends on the organization implementing it.
“There are some organizations that implement ISO 27701 because they need to check the boxes,” Jason observes. “It’s good for marketing, or somebody wanted them to do it.”
Or, say you’re a mom-and-pop auto insurance broker in Missouri, which currently has no state privacy laws, and you don’t do business in California or Virginia or any states with privacy laws. You don’t collect health data, so you’re not subject to HIPAA. But you want to give your clients and partners a high degree of assurance that you can manage the personal data that you collect process.
“So, maybe the son of the business owner says, ‘I’ll do it, dad!’” Jason relates. “And he digs in and really learns the real purpose of the ISO 27701 framework, and believes in what the framework represents. They’re going to get a lot more value out of it than a company that says, ‘Eh, it’s good for marketing, let’s tick the boxes.’ Like everything else in this world, it’s what you put into it, right?”
“I think what you’re saying is that you can turn GDPR or ISO 27001 and ISO 27701 into a compliance exercise where the purpose is to produce a certificate, not to protect personal information,” reframes John. “So, it is about the intent.”
To hear this podcast episode with Jason Powell all the way through, click here: https://pivotpointsecurity.com/podcasts/ep66-jason-powell-private-practices-how-to-prioritize-privacy-in-your-organization/
Want more insights from a top expert on the business value of an ISO 27701 certification? This podcast episode is perfect: https://pivotpointsecurity.com/podcasts/the-virtual-ciso-podcast-debbie-zaller-why-iso-27701-is-the-answer-to-privacy-compliance/