What is the interest of ISO27701 – Data Privacy for ISQe?

This was the question ISQe asked before deciding to invest in ISO/IEC 27701:2019 certification – Data Privacy.

And the answer was, because we need:

• Increase the quality and trust in our work processes, ensuring that personal data are treated in a way that maintains integrity and confidentiality;
• Increase the knowledge of all ISQe employees on the criticality of personal data, through training and awareness-raising actions;
• Aumentar o controlo sobre os dados pessoais dos quais o ISQe é responsável pelo processamento ou tratamento garantido que toda a atuação sobre os dados é feita de forma licita, leal e transparente.

But is the General Data Protection Regulation, known as GDPR, not sufficient for ISQe's purposes?

No. ISO 27701 and the GDPR have many overlapping objectives because they both aim to strengthen data privacy and focus on the process of obtaining, managing and protecting data, but while they focus on the same general requirements, ISO 27701 and the GDPR have some important differences.

The most notable difference between ISO 27701 and the GDPR is in their application. The GDPR is a set of requirements that focuses on the protection of personal data, the confidentiality of data and the management of risks to the rights of individuals by providing a set of standards that the ISQe already complied with, but does not provide technical details on how the ISQe must maintain these necessary security levels.

The ISO 27701 standard, in turn, offers real guidance to ISQe on how we can improve security measures, what policies we can apply and how we can reduce the risk of any incident, and fills the GDPR gap on how to maintain security levels, providing measures that ISQe can take to reduce any security threat. In other words, the GDPR identifies requirements and ISO 27701 offers solutions.

ISO 27701 is an extension of ISO 27001, the international information security standard. ISQe is already ISO 27001 certified and therefore can apply and comply with ISO 27701.

In conclusion, certification to ISO/IEC 27701:2019 allows all ISQe business partners to:

• know, at all times, the rules and principles relating to the protection and processing of personal data, because we guarantee transparency;
• know that personal data are processed lawfully and impartially and that they are collected and processed for specified, specific, explicit and legitimate purposes and kept only for the necessary period;
• are informed that the personal data requested are adequate, relevant and limited to what is necessary, taking into account the purposes for which they are processed;
• know that personal data are accurate and, where necessary, rectified and updated.

Dina Domingues | Quality Manager, ISQe