ISO 27701:2019

ISO/IEC 27701:2019, new standard for the Management of Privacy and Compliance with the GDPR

The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have developed a new standard to provide business advice in order to effectively manage the privacy of information and ensure the connection between current requirements for management systems and Data protection legislation.

The 27701 norm is born before the need to certify the management of privacy in the business environment, as an extension of the 27001 and 27002 norms.

ISO 27701 specifies the requirements to establish, implement, maintain and continually improve an Information Privacy Management System (SGPI), based on the requirements, controls and objectives of ISO 27001 on Security Management Systems requirements. Information (ISMS), and recommendations on good practices for information security of ISO 27002.

  • This standard is a good way to demonstrate to customers, suppliers, authorities and other interested parties that effective management systems have been implemented to achieve compliance with the GDPR and other privacy laws.
  • It establishes different requirements and new controls in the matter of security, depending on the role played by the organization, either as responsible or in charge of the treatment.
  • It presents a mapping of the clauses and articles of the GDPR, making reference to the principles related to data processing, compliance with the legitimacy bases of the treatment, the obligation of transparency and information, the exercise of the rights of the interested parties, the impact assessments, notifications to the Control Authority, appointment of the Data Protection Delegate, among others, in addition to the requirements of proactive responsibility, in terms of security and international transfers of personal data.
  • It allows certifying compliance with good practices in the field of personal data management in the organization.

Organizations that want to be certified in ISO 27701 to comply with the GDPR, must have a certified ISO 27001 information security management system, or implement ISO 27001 and ISO 27701 jointly.

These are some areas in which ISO 27701 contributes to the work of those responsible and responsible for the protection of privacy:

  • Provides security guarantees on the processing of personal data.
  • It incorporates the management of privacy in the risk management of the company.
  • It controls the existence of mechanisms for the notification of privacy gaps.
  • It establishes clear roles and responsibilities about treatments.
  • It improves contract management with treatment managers.
  • It checks the activity log of treatments.
  • It helps to implement privacy by design and by default in treatments.
  • It guarantees that the owners of personal data are allowed to exercise their rights over them.
  • It provides transparency to shareholders and efficiency in managing personal data processing.