For many, a data protection standard is the holy grail in assisting them to comply with data protection laws. Data protection standards often provide very practical actionable controls (almost a checklist) that they can implement in order to protect data and therefore comply with the law and get certified. In this article, we will:
- discuss the legal framework for data protection standards,
- give you links to standards that have been published, and
- explain their role in data protection or GDPR certification.
Please note that in this article we are not talking about a specific companies data protection standard or policy. It is also not about binding corporate rules. Some organisations have their own data protection standards that apply specifically to their organisation. In our view there are using the incorrect terminology they should rather refer to their standard as a policy because the standard is something that applies to many organisations across an industry or to everybody, not one particular organisation. There is obviously also a big difference between data protection law and a data protection standard they are not the same thing. Data protection standards are similar but different to codes of conduct.
Does the law allow for data protection standards?
The short answer is yes. The GDPR and many other data protection laws around the world create and allow for the creation of data protection standards. Most data protection laws are principal-based laws and a standard translates those principles into specific controls that can be implemented. According to Article 43 of the GDPR “The Commission may adopt implementing acts laying down technical standards for certification mechanisms and data protection seals and marks, and mechanisms to promote and recognise those certification mechanisms, seals and marks.”
Which organisations have currently published data protection standards?
- Bureau Veritas has released a GDPR & personal data protection technical standard which you can download and read. In our view, this is currently the best standard available. they also refer to it as the technical standard related to personal data protection in compliance with the regulation (EU) 2016/679 (aka the GDPR).
- The BSI has a British standard (first released as BS10012:2009 and then updated to BS10012:2017) on data protection which is a specification for a personal information management system. The standard appears to be outdated as it provides a framework for establishing best practices and improving compliance with the Data Protection Act (DPA) 1998 and not 2018. You can read about how the 2009 standard was revised in 2017.
- As far as we are aware, SANS does not have a data protection standard.
- ISO has ISO/IEC 29100:2011, which provides a privacy framework and ISO/IEC 29101:2013, which provides a privacy architecture framework.
- ISO has ISO/IEC 27701:2019 for privacy information management – requirements and guidelines.
- ISO/IEC 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).
- ISO/IEC 27018:2019 is a code of practice for protection of personally identifiable information (PII) in public clouds for organisation acting as PII processors.
How does the data protection standard help with certification?
In order to be certified to comply with data protection law, it is necessary to have a standard that an organisation can be audited against and a clear finding can be made that some organisation complies or does not comply. In short, therefore, a data protection standard enables organisations to become GDPR or data protection certified.
If you pass an audit that you comply with the standard, you can be certified.
How do you comply with a standard?
We have designed our Data Protection Compliance Programme so that once you have completed the programme you should be able to pass an audit checking whether you comply with the Bureau Veritas data protection technical standard and therefore gain certification.