Data Protection and Management System Standards – Which is best for me?
A question we are increasingly asked is ‘Is there a catch-all international standard that effectively
proves external verification of data protection compliance?’ It would be great if the answer to that
question was a simple yes, but currently, despite some disingenuous marketing to the contrary,
there is no official GDPR certification either centrally or from the Information Commissioner’s
Office (ICO), i.e. UK’s supervisory authority.
So, where should you look?
This week’s blog looks at standards in general, with a particular focus on what we consider to be the
two most prominent standards, along with some guidance on selecting the one which is likely to be
best for you and your organisation.
The European Data Protection Board (EDPB) published guidelines on the accreditation of certification
bodies under Article 43 of the GDPR, and followed up with certification and identifying certification
criteria in accordance with Articles 42 and 43 in June 2019. The ICO and other supervisory authorities
will need to use these guidelines to review and implement their own schemes – don’t hold your breath
though as this will not be an insignificant process and will take time.
So, what is there in the meantime? A simple search will quickly lead to a substantial list of ‘general’ privacy
standards and more specific standards– here are just a few as a ‘starter for ten’:
BS 10012:2017 and A1:2018 – Data protection. Specification for a personal information management system
ISO 20889:2018 – Privacy-enhancing data de-identification terminology and classification of techniques
ISO 27701 (originally named ISO 27752) (in development) – Privacy information management
ISO TR 27550 — Information technology — Security techniques — Privacy engineering for system life cycle processes
ISO 27556 (in development) User-centric framework for the handling of personally identifiable information (PII) based on
privacy preferences a.k.a. Privacy preference management (PPM)
ISO 29100:2011 amd A1:2018 (Information technology – Security techniques – Privacy framework);
ISO 29134:2017 (Information technology. Security techniques. Guidelines for privacy impact assessment)
ISO 29151:2017 (Information technology – Security techniques – Code of practice for personally identifiable information protection)
ISO 27018:2019 (Information technology – Security techniques – Code of practice for protection of personally identifiable
information (PII) in public clouds acting as PII processors)
ISO 31700 (in development) Consumer protection: privacy by design for consumer goods and services.
This blog is going to focus on two of these that fall into the wider category of ‘general’ privacy standards category – BS 10012 and
ISO 27701. OK, before we do, what is the benefit in adopting a Standard? Standards are widely regarded as representing best
practice having been developed by a range of experts, industry practitioners, consultants, professionals and other subject matter
experts and interested parties. They have then been reviewed extensively and been subject to public consultation where each and
every comment is considered.
Ok, let’s start with BS 10012. This British standard was first released in 2009 and updated in 2017 to reflect the requirements in the
GDPR. It describes how to establish a personal information management system (PIMS) and provides a framework for maintaining
and improving compliance with data protection legislation and good practice. ISO 27752 on the other hand, is an international standard
(still in draft and due to be published later this year) which is an extension of ISO 27001.
It will enhance an existing information security management system (ISMS) with additional requirements in order that organisations
can establish, implement, maintain and continually improve a privacy information management system (PIMS), which can then be
certified. The draft standard outlines a framework for PII controllers and PII processors to manage privacy controls so that risks to
individual privacy rights can be reduced. Apart from the British versus International difference, the hawk-eyed of you out there may
have already spotted a ‘semantic’ difference – two PIMS, but one ‘P’ stands for personal and one stands for privacy!
One of the more meaningful distinctions is that ISO 27701 is structured so that the PIMS can be considered an extension to the ISMS
requirements and controls. So, in order to implement it effectively, you must have an ISMS to start with, and a certifiable one at that
if you’re looking to certify your PIMS. Another key distinction is that BS 10012 controls are specifically tailored to GDPR requirements.
For example, the BS 10012 controls around data breach notifications have the built-in requirement that data controllers have a 72-hour
window to contact data protection authorities, whereas ISO 27701 is jurisdiction-neutral in terms of its controls. There is a useful appendix
to ISO 27701 which maps to GDPR. Once other regulatory requirements are mapped, according to each organisation’s requirements,
ISO 27701 will be able to manage multiple privacy requirements and regulations.
So, the 6 million dollar question, which is best for you? BS 10012 is more suitable for UK-centric organisations whose obligations are
solely limited to complying with the GDPR and don’t have an ISMS or an interest in establishing one, and want to establish a stand-alone
PIMS. ISO 27701 is more suitable for organisations who already have established, or have an intention to establish, an ISMS and need to
comply with privacy laws in several different jurisdictions. Whichever you choose, however, will provide you with a best practice framework
to successfully manage your approach to data protection/data privacy.
And, furthermore, by adopting one or the other will enable you to demonstrate to your stakeholders that you have acted. One of the most
important stakeholders to think about here in the UK is the ICO. As Elizabeth Denham, the Information Commissioner, speaking
to the BBC in April 2018 said: “We’re not going to be looking at perfection, we’re going to be looking for
commitment,”. https://www.bbc.co.uk/news/technology-43657546. Adopting BS 10012 or ISO 27552 certainly demonstrates commitment!
If you would like to explore how URM’s consultancy and training services can benefit your organisation, we offer a ‘no obligation’ discussion with a senior member of our consultancy team. Please let us know the specific challenge you are facing within our areas of expertise e.g. information security (ISO 27001, PCI DSS) and data protection (GDPR, DPA 2018) so that we can arrange a discussion.