top of page

The GDPR – How an organization can comply?

Since 2018, all organizations that store or manage the private data of European citizens are subject to the General Data Protection Regulation (GDPR).

Whether the organization is Canadian, Belgian or Chinese, it doesn't make any difference.

Quebec companies are wondering if they are affected by the GDPR. Often, they have European employees, or they have as clients that have to manage the private data of citizens of the euro area. In such situations, these organizations must respect the GDPR.

The other question that Quebec businesses are asking is: How can we obtain a GDPR accreditation?

In fact, there is no formal certification for the GDPR. Sections 42 and 43 of the GDPR define certain general principles, but no standard of certification is defined. Although in Europe, there is a particular myth that ISO 27001 represents some form of accreditation with the GDPR, it is not really the case. ISO 27001 meets some, but not all, components of the GDPR. So what do we do?

The new ISO 27701 framework seeks to address this issue. This new framework (September 2019) is intended to be a framework entirely dedicated to privacy issues. However, it must be paired with ISO 27001. So, could a company that is already ISO 27001 certified, by implementing ISO 27701, become certified for the GDPR?

Yes, but only in part. The authorities responsible for the GDPR have not defined any specific certification. Will the new ISO 27701 become, de facto, the certification standard for the GDPR? Many people or institutions close to the GDPR market believe or hope so.

In fact, we are here in the face of a battle of international standards. The European authorities have not set a specific standard to prove, beyond any doubt, that the GDPR has been complied with. The belligerents are the European standards ISO 27001 and 27701 against the American standard SOC 2.

Can we believe that ISO 27701 will, de facto, be considered by the European authorities as the standard to be met in order to become compliant with the GDPR? Bets are open.

The experience with my North American clients tells me that three trends are emerging:

1) Companies that already have ISO 27001 certification will undoubtedly want the new ISO 27701 certification to demonstrate that they comply with the various items of the GDPR;

2) Companies that already have a SOC 2 report will want to add the "Privacy" principle to their report to demonstrate compliance with the GDPR. In addition, SOC 2 is a standard aggregator, and ISO 27701 will be available to meet the control objectives of the SOC 2 "Privacy" report;

3) The organizations that do not have certification will have to decide which certification is most appropriate for them. Companies whose clients are mainly European will certainly be attracted to the ISO 27701/27701 duo, while those whose clients are mostly North American will be attracted by SOC 2 reports.

 

Whatever standard will win, managing private data becomes a critical issue, and many companies will not be able to avoid it. Whichever approach is selected, the debate is open.

 

* Service Organization Control (SOC 2)

Come back to the discussion page...

bottom of page