GDPR Compliance, Certification and ISO 27701

How do organizations demonstrate compliance to GDPR? If you’re a Data Protection Officer then Article 39.1.b makes monitoring compliance to GDPR a mandatory requirement of the role.   

The short answer is that it’s difficult. There are approximately 40 articles which an organization must comply with (controller or processor dependant). Each article has a number of sub-clauses, each of which would typically require some form of measure or objective evidence to demonstrate compliance. And if an organization has multiple processing activities then the problem is increasingly complex.
 
To date, there are many online services offering to help organizations become compliant, including checklists or general guidance. But in effect they’re really only advising organizations on how to implement GDPR and operate in a compliant manner. There’s very little out there for monitoring compliance.
 
However, there are two ways of achieving this, and both can be used to demonstrate compliance to stakeholders.

GDPR Article 42

The first is enshrined in GDPR itself – Article 42 lays the ground for GDPR certification schemes. But it’s a couple of years since GDPR was launched and there aren’t any GDPR certification schemes in the UK, though there are some in development. It would be nice to think that a GDPR scheme would be a panacea to the compliance problem, but it’s not that simple.
 
The guidance from the European Data Protection Board and the ICO require schemes to be specific to particular processing activities. It’s unlikely there’ll be a one size fits all scheme, and there could be several schemes from competing certification bodies for the same processing activity. And organizations will have to choose which processing activities they want to certify – if it’s more than one, say Sales and HR, then that could mean implementing two distinct schemes which could come from different certification bodies and may have differing requirements for common functions.

ISO 27701

The second method is ISO 27701, and it implements a Privacy Information Management System (PIMS). Put simply, it’s a bolt-on to ISO 27001 for specifically managing personal data processing risks, which are in addition to any other information security risks the organization might be managing.
 
A PIMS assists in compliance with Article 5 right through to Article 49. There’s a very useful table at the end of the standard which shows the mapping between GDPR and ISO 27701. Every article required by the GDPR certification schemes – 5 and 6, 12 to 39, and 44 to 48, are covered by PIMS. This includes the security of processing required by article 32 which would be covered by the 27001 certification. 
 
We have some good resources on implementing a PIMS, including our
NQA ISO 27701 Mini Implementation Guide. 

But it’s worth noting what implementing a PIMS means in addition to ISO 27001, and this inforgraphic lays them out NQA ISO 27701 Annex A Controls Analysis:

1. There are 6 additional sub-clauses: 2 for Clause 4 (Leadership) and 4 for Clause 6 (Planning)

2. 34 of the 27001 Annex A controls are extended to include privacy requirements

3. There are 31 new controls for controllers

4. There are 18 new controls for processors

So if you’re a controller and a processor then you could be including 83 extra controls in your Statement of Applicability, although it depends on the scope of your certification. It seems a lot but they’re all mapped to GDPR articles. There’s also the requirement to include ‘and privacy’ in all references to information security, such as ‘Information Security and Privacy Risk Assessment’.
 
Clearly then, implementing a PIMS ticks a big GDPR compliance box. Any organization receiving a supplier questionnaire can confidently claim compliance and provide evidence.