About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

6 Eur. Data Prot. L. Rev. 194 (2020)
ISO/IEC 27701 Standard: Threats and Opportunities for GDPR Certification

handle is hein.journals/edpl6 and id is 207 raw text is: 194 I ISO/IEC 27701 Standard ISO/IEC 27701 Standard: Threats and Opportunities for GDPR Certification Eric Lachaud* The paper assesses the possible consequences for Article 42/43 certification of the publica- tion of the ISO/IEC 27701:2019 standard. This new ISO standard establishes a management system that aims to manage 'the processes for protecting the capture, accountability, avail- ability, integrity, and confidentiality of personal data.' The conformity with the standard's requirements is certifiable by the private conformity assessment bodies interested in provid- ing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification has many assets to dominate the market of data protection certification. It offers opera- tional advantages to businesses that are looking for a readymade solution to streamline in- formation security and data protection. A strong uptake of ISO/IEC 27701:2019 based cer- tification could threaten Article 42/43 certification by creating two competing approaches of data protection compliance. But it could also offer the opportunity to improve the gener- al level of data protection and encourage the European supervisory authorities to clarify the relationships they intend to establish with ISO privacy standards. Keywords: certification, privacy, ISO, self-regulation, standardisation 1. Introduction The publication, in August 2019, of the new 'certifiable'1 ISO privacy standard presented as a management sys- tem standard designed to manage 'the processes for protecting the capture, accountability, availability, in- tegrity, and confidentiality of personal data' was an event in the data protection2 community that still lan- guish3 to see the first approved Article 42/43 certifica- tion scheme four years after the enactment of the GDPR. DOI: 10.21552/edpl/2020/2/7 Eric Lachaud is a Researcher at the Tilburg Law School, Tilburg University. For correspondence: <E.Lachaud@tilburguniversity .edu>. 1 The conformity to the content of the standard is certifiable but not the standard itself 2 Data protection may sometimes also refer to data security matters. The author of this paper uses the word 'data protection' as de- fined in Recital 1 and 2 GDPR 3 Natalie Maier and Tamer Bile, 'Die Zertifizierung nach der DSGVO: Innovatives, aber hochkomplexes Instrument' (2019) Datenschutz Datensich 43, 478-482. 4 The Personal Information Management System (PIMS) is deemed an extension of the Information Security Management System The ISO/IEC 27701:2019 has been designed by ISO as 'an enhancement to ISO/IEC 27001:2013 informa- tion security standard for privacy management'. The ISO/IEC 27001:2013 specifies a series of require- ments for establishing, implementing, and maintain- ing an Information Security Management System (ISMS). The ISO/IEC 27701:2019 proposes a set of ad- ditional requirements and guidance dedicated to the protection of personal data. The Personal Informa- tion Management System (PIMS)4 . The PIMS is (ISMS) but ISO does not provide any definition the PIMS. ISO/IEC 27000:2018 defines the ISMS as a series of policies and proce- dures aiming to protect the information assets of the company. Thus, one can infer that a PIMS is a series of policies and proce- dures aiming to protect personal information detained by the company. A PIMS is also sometimes defined as the systems offering end users a means to self-manage their own personal data. For instance, the EDPS defines a PIMS as 'systems that help give individuals more control over their personal data. PIMS allow individuals to manage their personal data in secure, local or online storage systems and share them when and with whom they choose' See <https://edps.europa.eu/data-protection/our -work/subjects/personal-information-management-systemen> accessed on 1 January 2020; See also Mohammad Rustom Al Nasar et al, 'Personal information management systems and interfaces: An overview' (International Conference on Semantic Technology and Information Retrieval, Putrajaya, June 2011). EDPL 212020

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Contact us for annual subscription options:

Contact Us

Already a HeinOnline Subscriber?

Log In

profiles profiles most