When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
Ever since it became a reality – that is, from a few years before it became law – the GDPR (General Data Protection Regulation) has had a lot of press. It has single-handedly raised the profile of privacy worldwide and that could be considered one of the great achievements of the European Union in recent years. So everyone has heard of the GDPR even if they don’t claim to fully understand it (let’s be honest – who does?). The ISO27701 standard is perhaps a different matter, so we thought we’d do our bit to explain how it fits in with the GDPR, and what the main differences are.
The GDPR is a regulation that applies directly to all of the member states in the EU, and to any organisations outside the EU who process the personal data of its citizens. This latter point is an important one which we will come back to later. The Regulation puts legal responsibilities onto those organisations who collect this personal data (the controllers) to look after it and not give it to anyone else who might do anything undesirable with it – things that the person they collected it from (the data subject) wouldn’t reasonably expect.
The data subject also gets a number of rights over their data, including to expect it to be accurate, processed responsibly for the reason it was collected (and no more) and in some cases to have it back if they choose to. These rights do depend on the lawful basis of the collection so the data subject doesn’t have total power in some cases, for example if the personal data is used for tax purposes.
The GDPR requires that every organisation that collects and processes EU personal data must have reasonable control over many issues such as:
And the fines that could apply, if any of these things is found not to be as it should, can be substantial.
So even for a small business, compliance with the GDPR (and its twin, the UK GDPR) can be a headache.
The danger with getting your GDPR compliance up to speed is that you do it once and then it gradually becomes more and more out of date and ineffective. Then you suffer a breach and it looks like you’ve been ignoring your responsibilities, resulting in you being told off and possibly fined.
So what you really need is a kind of GDPR management system. A framework that ensures that you keep everything up to date, and your personal data secure. This is effectively what the ISO/IEC 27701 standard provides; a set of requirements that together help you to comply and keep complying for as long as you need to. ISO27701 is a “plug-in” to the popular ISO27001 information security standard so it extends an information security management system (ISMS) to also be a privacy information management system (PIMS). This means that you will set objectives, perform risk assessments, do internal audits and hold management reviews to really keep tabs on how your GDPR compliance is shaping up.
And the good news is that you can become certified to the ISO/IEC 27701 standard, so you can demonstrate with credibility that you take privacy seriously.
Complying with the GDPR is high up on the agenda of many organisations, but it may not be the only privacy law that must be complied with. Following the European Union’s lead (and in some cases long before), many other countries and states have been busily creating privacy legislation. And if you collect and process the personal data of their citizens, you will need to comply with their laws too. This means that if you have an international customer base then things are progressively getting more complicated as time goes by. For example, Canada and Australia have had privacy laws for a while, and recent additions are Brazil, China and the US state of California to name but a few.
So how do you keep track of all of these laws, and understand how to comply with them? Again, ISO27701 can help. The framework you use to manage your GDPR compliance can be extended using a PIMS to cover all of the legislation that applies to you. A general rule of thumb is that the GDPR is the most demanding legislation so far and if you meet its requirements, you’re probably ok for the rest of the world too. But there will still be variations, such as whether a data protection officer is required.
In summary then, the GDPR is an EU privacy law, and the ISO27701 standard is a framework that helps an organisation comply with not only the GDPR, but any other privacy legislation that is relevant to your organisation’s business operations. Because of this, ISO27701 must be seen as a valuable tool in any compliance programme that seeks to keep pace with the rate of change in privacy worldwide.
Written by CertiKit’s CEO Ken Holmes, who is a CISSP-qualified security and data protection specialist, and also holds the internationally-recognised Certified Information Privacy Professional – Europe (CIPP/E) accreditation.
Whatever data protection Regulation or Standard you’re looking to comply to, CertiKit can help. We have toolkits available for the EU GDPR, UK GDPR and ISO27701. Our toolkits include all of the written guidance and documentation your business will need to comply quickly and easily.