More and more frequently, we encounter the question of whether there exists a universal international standard that can definitively demonstrate external verification of data protection compliance. While it would be ideal to provide a straightforward affirmative response, the reality is that, despite misleading marketing claims, there are only three UK GDPR certification schemes that have received approval from the Information Commissioner's Office (ICO), the supervisory authority in the UK.
These approved certification schemes are highly focused on specific purposes and are not intended to serve as an all-encompassing international standard for validating data protection compliance. It is crucial to exercise caution and discernment when assessing claims made by various providers or services regarding their ability to provide comprehensive external verification of data protection compliance, considering the GDPR principles. Currently, the existence of a catch-all international standard remains elusive, and organizations should carefully consider the specific requirements and limitations of the available certification schemes when seeking external verification for their data protection compliance efforts.
So, where should you look?
The blog delves into the topic of data protection standards, with a specific focus on two prominent standards. Despite the desire for a universal international standard that proves external verification of data protection compliance, only three purpose-specific UK GDPR certification schemes have been approved by the Information Commissioner's Office (ICO) to date. In the meantime, there are various "general" privacy standards available.
Some notable examples include:
BS 10012:2017 - A British standard that provides a framework for establishing a personal information management system (PIMS) and ensuring compliance with data protection legislation and best practices.
ISO 27701:2019 - An international standard that extends an existing information security management system (ISMS) with additional requirements for establishing and maintaining a privacy information management system (PIMS). ISO 27701 allows organizations to manage privacy controls and reduce risks to individual privacy rights.
BS 10012 is more suitable for UK-centric organizations focused on GDPR compliance and seeking a stand-alone PIMS without an existing ISMS. ISO 27701, on the other hand, is more appropriate for organizations with an established or intended ISMS and the need to comply with privacy laws in multiple jurisdictions, including GDPR compliance.
Both standards offer a best practice framework for effectively managing data protection and privacy, ensuring GDPR compliance. By adopting either standard, organizations can demonstrate their commitment to data protection and GDPR compliance to stakeholders, including regulatory authorities like the ICO.
It's important to note that achieving perfection in data protection and GDPR compliance is not the expectation. Instead, demonstrating commitment through the adoption of recognized standards like BS 10012 or ISO 27701 is highly valued by regulatory bodies and showcases an organization's dedication to upholding the principles of GDPR compliance.