Companies today face increasing pressure to implement strong cybersecurity controls. While the U.S. has no comprehensive cybersecurity law, many organizations still fall under state, international, or industry regulations. Two of the most prominent controlling publications are the General Data Protection Regulation (GDPR), and the ISO 27701 standard.  One has the force of law, and the other is a guiding framework, respectively.

Both of these documents apply to an increasing number of businesses. As the world grows more interconnected and reliant on digital data, the reach of these documents is expanding as well. It becomes critically important to understand how each might affect one’s organization.

What Do ISO 27701 and GDPR Cover?

On the surface, ISO 27701 and GDPR are entirely different. The GDPR is a mandatory regulation for companies handling European data, and ISO 27701 is an extension of an optional certification, ISO 27001. Despite their differences, they contemplate many of the same considerations.

The GDPR and ISO 27701 both aim to strengthen data privacy, and to that end, they have many similar requirements. Both emphasize risk assessment, data confidentiality, record-keeping, and minimizing privacy risks at every stage.

Both also prescribe responsibilities for breaches.  Under the GDPR, businesses have 72 hours to report a breach, and ISO 27701 indicates that companies should contact authorities quickly, but doesn’t specify a timeframe.

While there is much overlap between the two, the GDPR is a broad regulation. ISO 27701 is narrower in scope, but it offers more specific actions than the GDPR. Both can be crucial tools for any organization dealing with customer data, and in some cases, can have substantial ramifications.

How Will ISO 27701 Affect Your Organization?

Even though ISO 27701 is an optional certification, and not a law, it can still have a (Read more...)