The path to compliance with data protection laws such as the GDPR (General Data Protection Regulation) is strewn with potential pitfalls.
From processing personal information without a valid lawful basis to failing to implement appropriate technical and organisational security controls, there are countless ways an organisation might fall foul of the supervisory authorities and risk regulatory action.
For many, security is one of the biggest concerns. With cyber attacks and data breaches becoming increasingly commonplace, it’s critical your organisation processes information securely. But where can you turn for guidance?
The ISO 27001 standard provides the specifications for an ISMS (information security management system) that encompasses the whole organisation, covering people, processes and technology. It is supported by a range of other standards, known as the ISO 27000 family, that provide guidance on adapting your ISMS to help protect the confidentiality, integrity and availability of your information assets – whatever their type or location.
The series is broad in scope, technologically agnostic and designed to be applicable to organisations of all sizes and sectors. As technology, and legal and regulatory requirements continually evolve, new ISO 27000 series standards are developed to address the changing requirements of information security practitioners. One such standard is ISO 27701.
What is ISO 27701?
ISO 27701 is a privacy extension to ISO 27001 that specifies the requirements for a PIMS (privacy information management system). Organisations that have implemented ISO 27001 can use ISO 27701 to extend their security efforts to cover privacy management, including the processing of personal information, which can help them demonstrate compliance with data protection laws such as the GDPR.
You can implement ISO 27001 and ISO 27701 together as a single project, or use ISO 27701 to extend your existing ISO 27001 ISMS.
Independently audited certification to ISO 27001 is a way of demonstrating to stakeholders that you have implemented and are maintaining information security management best practice. If your ISMS includes a PIMS, certification will show that you are securing the personal information you process according to an internationally recognised standard.
However, ISO 27001 certification is not the only mechanism you can use to demonstrate that you’ve considered your legal and contractual requirements as part of your personal data processing practices: if you are bound by the GDPR, the Regulation’s first certification mechanism was launched almost a year ago, in October 2022.
What is Europrivacy™/®?
Europrivacy is the first GDPR certification mechanism recognised by the EDPB (European Data Protection Board) as the European Data Protection Seal, as defined by Article 42 of the Regulation, in all EU member states.
Europrivacy enables organisations to demonstrate that their data processing activities comply with the EU GDPR and relevant national and international regulations.
The Europrivacy certification scheme was developed through the European Research Programme Horizon 2020, and co-funded by the European Commission and Switzerland. It was approved by the EDPB as the European Data Protection Seal on 10 October 2022.
It is managed and continually updated by the ECCP (European Centre for Certification and Privacy) in Luxembourg and its International Board of Experts in data protection, with the support of official partners such as the Italian Institute for Privacy and Data Valorisation.
How do you achieve Europrivacy certification?
To achieve certification, organisations must meet, among others, the Europrivacy GDPR core criteria, which are maintained by the ECCP and its Europrivacy International Board of Experts.
The core criteria allow organisations to assess their compliance with regard to:
- Lawfulness of data processing;
- Special data processing;
- Data subjects’ rights;
- Data controllers’ responsibilities;
- Data processors;
- Security of processing and data protection by design;
- Management of data breaches;
- DPIAs (data protection impact assessments);
- DPOs (data protection officers); and
- Transfers of personal data to third countries or international organisations.
Where applicable, these core criteria are supplemented with:
- Complementary contextual checks and controls to assess technology and domain-specific obligations; and
- Technical and organisational measures checks and controls to assess security requirements.
How can IT Governance Europe help?
Alongside our sister companies IT Governance UK and GRCI Law Limited, we offer a comprehensive range of services to organisations that wish to certify that their data protection practices comply with the EU GDPR and relevant national data protection laws.
IT Governance Europe is at the forefront of helping organisations implement GDPR-compliant processes and achieve certification to standards and frameworks such as ISO 27001, ISO 27701, Cyber Essentials, the PCI DSS (Payment Card Industry Data Security Standard), and others.
Our highly experienced consultants, supported by GDPR-specific tools and processes, can work with clients all over the world to ensure their data processing practices meet the Europrivacy standard and are fit for certification.
As a Europrivacy official partner, GRC International Group has been evaluated and selected on the basis of its track record and expertise in data protection.
Only the official partners are authorised by the ECCP to deliver Europrivacy-related services. You can find a full list of official partners on the Europrivacy website.
Europrivacy is an international trademark registered in several jurisdictions.
Contact us today to learn how we can help with your GDPR compliance project.