Certification and the GDPR

Hi all,

I've been looking into the subject of certification within the GDPR articles and it is clear to me that the current format of management system certification, as applied by the certification and accreditation bodies, won't currently support the GDPR's request for certification to ISO 17065. Most certification bodies in the UK are accredited (certificated) against ISO 17021 - conformity assessment, requirements for bodies providing audit and certification of management systems. They are accredited by National bodies such as UKAS to ISO 17021 and have to undergo a periodic assessment no longer than 5 years apart.

Whilst the International Standards are bringing out a new standard for privacy information management - ISO 27701, surely it would have been wiser for the EU to align the requirements in the GDPR at articles 42 and 43 (Certification and Certification Bodies) to ISO 17021? Let me explain...

ISO 17021 is the accreditation that certification bodies have to align themselves to when wanting to certificate companies and organisations to a known management system standard, i.e. ISO 9001 or ISO 27001 for instance, but what has happened is that when the GDPR has been written, the EU have favoured an accreditation that doesn't align to management systems, in which case ISO 27701 Privacy Information Management will not be totally sufficient for GDPR implementation for organisations wishing to implement the GDPR via the standard ISO 27701. This will find organisations coming short when implementing the ISO 27701 standard because it will have to be accredited by ISO 17021 - that's the standard for management system accreditation.

And so, why have the EU done this? Why didn't they align the GDPR to ISO 17021 and thus support company management systems, it doesn't make sense. Unless they want the fines to increase? People in companies, businesses and organisations worldwide will be wanting to support their data protection systems via a known standard to support implementation of legislation. So where does that leave organisations wishing to implement ISO 27701? In my opinion, for a lot of companies it leaves us with no choice but to embrace it and take it on board as an addition to ISO 27001. I've already written about the benefits just last week of ISO 27001 certification and they all apply when you implement ISO 27701. It's all about reducing risk and a known standard will help you to do that.

To summarise, I feel that the ISO is doing the data protection sector a big favour here, but why not align the GDPR to ISO 17021 instead? That's what companies use as an accreditation for management of their systems and driving down further risk. Only the EU knows.

I think also, that the certification bodies, wishing to facilitate and support companies with regards to data protection, will find themselves forking out more costs to implement ISO 17065 in the first place, maybe that's what the EU wanted? But it certainly has ignored ISO 17021 and that will be to the detriment of organisations worldwide.



Steven Burgess is a Consultant to companies in the UK and also a Data Protection Officer for Disclosure Services Limited, a company that process data relating to criminal record checks.