Getting to know ISO

Published on: September 6,2021 Published in: Data Protection News

A feature of every person’s life in the developed world at present is that we are handing over an increasing amount of information to businesses and individuals. It is a feature of daily life, if you are reading this online, the chances are all of the places you visited before you came here today involved you leaving cookies or tiny pieces of data about yourself on the webpages you have visited. This is often passive on behalf of the viewer, who remains unaware.

A consequence of this feature is a rise of threats to our information through cyber criminals and other threat actors who seek to profit from either exploiting or selling the information you give away. Protection of your data is paramount in terms of ensuring the integrity of your personal lives remain intact, whilst you do what you do every day. An entire sector that is dedicated to the protection of your information has been established, including us here at i3Secure. If you work within a business you are bound by data privacy regulations, which have been established to ensure information given to you by your customers is protected and handled in a safe and fair way. A patchwork of legislation exists internationally. In the UK we have the Data Protection Act 2018 and even in a post-Brexit world, the UK GDPR.

GDPR remains applicable across the EEA including select non-EU countries so understanding and ensuring compliance with this legislation remains as vital as ever to all businesses in the UK. Other countries have also initiated privacy regulations and update these frequently to keep pace with changes and adjustments to the GDPR and other international legislation. It can be a little overwhelming to try and track this within your business unless you devote significant time and resources. To help with this, an international standard for privacy and information management, ISO27701, has been generated. Uniquely, this standard is an extension of an existing information security standard, ISO27001; meaning that if you have this latter standard, you have the foundations needed to construct an effective data privacy management system.

What Is ISO 27701?

ISO 27701 is a data privacy extension to ISO/IEC 27001. As the international management system standard for the protection of privacy in information processing, ISO 27701 is related to all the requirements stated in the data protection regulations like the GDPR. This standard is updated regularly, and the newest extension was written to support other privacy regulations like GDPR.

The 27701 standard applies to all businesses, whether you act as a controller or processer of personal data. Implementing this standard attracts many benefits, not least giving assurance to your business and its stakeholders that data privacy is taken seriously. The presence of an ISO certificate will have a desirable effect when it comes to facilitating any future business arrangements with your customers. As you will already have, or concurrently implement an information security management system with this standard, you can also demonstrate strong security management and extend or validate your current security practices.

UK GDPR

The UK GDPR is the culmination of years of data privacy practice wrapped up in a single piece of regulation. Its primary focus is on the protection and privacy of individuals personal data. All businesses within the UK must adhere to the regulation and some high profile organisations have fallen foul of this, publicly, and been left with significant financial penalties to pay. The regulation definitely has teeth so ensuring that your business is compliant should be a mandatory undertaking.

This regulation determines how businesses, across all sectors, can collect and process personal data and sets out limitations on how this can be done. For example, if customers choose to provide you with their personal data, you must only process this information in a way that is compliant with the UK GDPR, you cannot avoid it.

The ISO27701 standard and the GDPR have been implemented to ultimately protect individuals and consumers from exploitation from businesses and criminal elements. The standard and the regulation enjoy a happy marriage in terms of the way they provide the foundation for ethical data privacy practice. Both the standard and the UK GDPR advise on risk based thinking, which is critical to ensuring security and confidentiality of data. They also both have a requirement for businesses to retain accurate documented information to allow for review and audit; responding to requests for information and ensuring you can accurately locate and remove personal data when mandated is paramount in this process. The presence of an ISO 27701 standard will give confidence that you can achieve this.

Implementation of ISO27701

ISO 27701 is an extension to ISO 27001. This means you cannot obtain ISO27701 as a certification in isolation from ISO 27001; you will need to have the latter to achieve the former. If you are lost, don’t worry, we can help you put both of these things in place and get you ready to achieve certification. Our team have extensive experience in both data privacy and information security and stand ready to answer any question you have before you embark on this business enhancing undertaking.

UK companies must provide secure processing for personal data; however, the UK GDPR does not specify any technical measures and this is where the standard takes over. At the time of writing, purely being compliant with the UK GDPR via a certification scheme is not possible. The UK GDPR does allow for such schemes but none have yet been approved to be used in the UK. ISO 27701 does ensure that compliance to the UK GDPR is fully understood and documentation retained to demonstrate this. At present ISO 27701 is the closest thing to a UK GDPR compliance scheme available to UK businesses.

ISO 27701 implementation with i3Secure

New laws spring up constantly, adjustments and amendments to existing legislation are a natural fact of life, but they have significant implications for how businesses can use data within the current patchwork of regulation and legislation. Data protection and security of information are key features of the modern world, never more prevalent than during the recent pandemic where the exchange of personal data grew to unprecedented levels. Ensuring that you get it right will provide your business and its customers with the confidence to move forward and operate effectively and safely in today’s world. i3Secure can help you put things in to place and have a range of options for the maintenance and monitoring of your management systems from annual visits through to being your organisations virtual Data Protection Officer or Information Security Officer.

Speak now to one of our team, for a free, confidential scoping discussion and let us keep your business compliant, safe and secure.

Related Insights

Insights News Sustainability

Moving Forward: Our Carbon Neutral Pledge

April 19,2022
Insights News

Remembering the Fallen

November 10,2021
Insights News

i3Secure Team Day – in Person!

September 1,2021
News

i3Secure goes electric

July 8,2021
News

i3Secure turns one

February 24,2021