ISO 27701 & GDPR: Adoption Issues Ahead

Many organisations and advisers are looking for a clear, achievable way to demonstrate GDPR compliance status to the board and customers.  Even better if it shows them the way to be compliant in the first place. Is ISO 27701 the solution?

We’d love to be wrong, but we think the answer is no.  Even if 27701 is approved as a GDPR certification (which we hope it is) there are signs that it may only work for less than 1% of organisations.  We’ll explain why below, but the statistic that fewer than 100 ISO 27001 certificates were in issue in 47% of the EEA 30 countries in 2018 is a surprising statistic to start with.

Let’s start with GDPR and then look at ISO 27701.

Download the full PDF

How to comply with GDPR?

That’s the 20-million euro question (or 4% of global turnover if higher) that boards, executive committees, in-house lawyers, and technology and compliance teams are grappling with around the world.  Capgemini reported that 28% were compliant with GDPR in June 2019, a year after GDPR came into effect.

A far lower figure than the 78% who had said, more than a year before, that they’d be compliant when GDPR came in.  What happened?

GDPR has worked its way into board reporting, investor and vendor due diligence and internal and external audit.  So, in the above context, a standardised and recognised way to demonstrate their GDPR status to internal and external stakeholders would be very welcome to organisations around the world.

‘GDPR-Approved’ Privacy Standards: Codes of Conduct & Certifications

The only way an organisation can say they’re ‘officially’ certified to GDPR (under Section 5 of the GDPR, Articles 40 to 43) is by audited compliance with either a ‘GDPR-approved’:

• code of conduct created by a trade association or representative body, or
• standard, seal or mark, which could be more generally applicable.

(By GDPR-approved, we mean the code, standard etc has been approved under GDPR as appropriate by the competent supervisory authority and/or the European Data Protection Board.)

GDPR says all forms of codes and certification schemes are welcome, so while there are precious few to date, we may end up with a huge number and variety.  And GDPR recognises that SMEs make up the vast majority of businesses. In Articles 40 and 42, GDPR stresses such schemes should take into account ‘the specific needs of micro, small and medium-sized enterprises’.

If a code of conduct, certification, seal or mark isn’t recognised appropriately under GDPR, then it’s all well and good but it is most definitely not an ‘official’ certification.

Existing Standards & Codes

Quite a few standards, seals and systems addressing privacy have been in the market for some years now.

Arguably the best standard for GDPR is the British Standard BS 10012 from 2009, updated in 2017.  It establishes your Personal Information Management System in alignment with GDPR’s principles. Sounds very good but, again, it’s still not yet ‘GDPR-approved’.

There are various ISOs, such as ISO 29001 which addresses privacy controls in ICT systems and services, and 27018 which addresses protection of personally identifiable information (PII) in public clouds – not as yet GDPR-approved.

And there are various seals such as the Privacy Seal available from the French Data Protection Authority, CNIL.

The first few Codes of Conduct are working their way through the GDPR-approved process, which itself is in early stages.

– In June 2019, the European Data Protection Board (the EU body made up of national and EU Data Protection Authorities, essentially in charge of GDPR) issued its Guidelines on Codes of Conduct under Articles 40 and 41 of GDPR.

– And in December 2019, for example, the EDPB approved the UK Data Protection Authority (ICO)’s requirements for Codes of Conduct Monitoring Bodies.  So the ICO can now approve Codes and Monitoring Bodies.

All sound clear and simple?  Know where to look? If only there was a single standard, an internationally accepted indicator of compliance.

ISO 27701 to the rescue?

Enter ISO 27701.  It’s an extension to the respected international security standard, ISO 27001.  You first get your Information Security Management System certified against ISO 27001, and then you have your Privacy Information Management System certified against ISO 27701.

Even though ISO 27701 hasn’t (yet) been officially approved as a benchmark for GDPR compliance, this at first seems very attractive: the ISO is a hugely trusted party, international standards are very well-respected and there’s lots of expertise in 27001.  But even if 27701 is officially approved under GDPR, how well-adopted might 27701 be?

Adoption rates for 27001 may give us a clue, particularly as 27701 is an extension to this established security standard, which has been around for 15 years (and the prior British standard for even longer).

ISO 27001 Adoption

ISO 27001 is focussed on security, one of the top concerns of organisations around the world for many years now.  Security teams and departments are a well-established part of many organisations, CISO is a well-established role, and there’s a universe of providers and solutions addressing each aspect of security from the cyber (firewalls and encryption, access control and VPNs, etc) to the physical (alarms, access systems, etc).

But, even in such an established area, the adoption stats aren’t high for 27001 in the context of driving GDPR compliance.

Using the ISO’s own Survey for 2018 for the number of certificates against ISO 27001 per country, and Eurostat business population statistics for 2017, you can see that many countries aren’t getting above 0.05% adoption on 27001.  Indeed the ISO reported just 31,910 certificates issued to organisations for 27001 worldwide.

The ISO did note that the number is less than 2017 for various reasons, including over-reporting by some organisations and lack of participation by some important certification bodies.  Like all stats, these need a pinch of salt, but they are the ISO’s own figures. ISO reported 33,290 for 2016, and 39,501 for 2017, so it’s ballpark and consistent.

27001 in Europe

Looking at the ‘EU27’, Germany has the most, at 1,057 and Italy is second at 1,041, some way ahead of the Netherlands in third at 788.  The UK, at 2,444 certificates, had more than twice the number of Germany.

But as a percentage of business population:

According to the ISO’s 2018 Survey, 47% of the EEA30 (14 countries) had fewer than 100 certificates issued for ISO 27001

Lessons for Adoption

While any movement from such an august and respected body as the ISO is very welcome, the above statistics do not suggest that 27701 will enjoy widespread adoption, particularly among SMEs.  There’s always the chance that, if 27701 is officially ‘GDPR-approved’, the pressure to comply with GDPR will increase adoption of 27001 and then 27701. But given the most popular international standard (ISO 9001 for quality) still only has just over 1m certificates issued worldwide, it’s a long road to travel.

Given the figures above, and what we hear in the market, we believe a much simpler approach than a typical ISO is required for mass adoption and Security can provide lessons here too.

Lessons from Security

Staying with the world of Security, in 2014 the UK Government introduced Cyber Essentials as a pared-down alternative to ISO 27001.  Cyber Essentials focusses on 5 key risk areas addressing low-hanging and common security risks – and you can self-certify.  Sounds much easier, yes?

The UK’s NCSC says that just under 30,000 certificates had been issued by June 2019.  That’s very good in a few years, no doubt due to the cheaper cost and greater simplicity.

But if you take that as 30,000 organisations right now, then that’s still only 1.18% of UK businesses on those Eurostat population numbers.

That’s a wonderful stat for a private-sector vendor but not so great if you’re talking about a national standard for mass adoption, or GDPR.

The excellent NCSC recognised this in their review and update of Cyber Essentials in 2019, stating: ‘...whilst 30,000 certificates is a big figure, it’s a small percentage compared to the number of organisations out there in the UK.’  And that, after ‘an extensive consultation exercise, across a whole range of organisations and individuals in different sectors, aimed at understanding their experiences of Cyber Essentials’ they had a series of findings, which they’re implementing or addressing in a series of well-thought out improvements.

Even though Cyber Essentials is much simpler than 27001, and is still focussed on the established area of security, the NCSC’s consultation on it revealed common messages:

You can see how all of these might end up being relevant to a possible panoply of GDPR codes, certifications, seals and marks.

It’s important to note that not all findings were negative.  In particular:‘finally, there was also an appetite to explore other “levels” of confidence outside of what we know today as Cyber Essentials and Cyber Essentials Plus.’

This is encouraging and we believe is also reflected in GDPR-land.  In desperation, organisations are looking to other regimes they’re familiar with, such as Cyber Essentials, 27001, NIST and others, often security regimes, so they can plan programs to a measurable and achievable process.  Interestingly though, this hasn’t (yet) been reflected in a large boost in certificates for ISO 27001. It can take a year to achieve certification, so perhaps we’ll see an uptick for 27001 in the next few ISO Surveys.

Where does this get us?

Our research on 27001 and Cyber Essentials confirms our belief that GDPR has a mountain to climb to get widespread compliance in organisations.  Privacy may be the new Cyber, but even in that established industry, adoption of ISOs is low. This doesn’t bode well for mass adoption of 27701, even more so as it’s an extension to 27001.

Organisations need a simple and achievable route to compliance and to demonstrate their status.  Given the lessons from ISO 27001 and UK Cyber Essentials, it needs to be very straightforward to get anywhere near mass adoption.  And, as recent EU papers have stated, GDPR needs to be better clarified and understood.

In our view, a wide range of industry-specific certifications, codes or badges (possibly covering only part of GDPR) has an uphill task in fulfilling the needs of business in particular the need for confidence in the supply chain.  One, or a few, will need to emerge over years as the preferred proof point.

We wish all of the projects, including 27701, great success.  It’s in all our interests for there to be a broader and better level of GDPR compliance across all sectors.  We’ll watch this area with interest.

How Keepabl can help

Keepabl’s GDPR SaaS solution is an out-of-the-box solution to help ‘get the job done’ on GDPR.  Be set up and running, and see the value, that same day.

A simple, intuitive interface supports intelligent linking and processes in the background to instantly create necessary reports and gap analysis to move you forward and help maintain compliance.

Keepabl also enables a simple way to demonstrate your compliance to internal and external stakeholders.  You can add and remove users as you wish and give them tailored View/Edit/Hide access over modules.

Please do contact us to discuss your GDPR journey and see how good SaaS can help.

Download the full PDF