It’s unavoidable. Whether in business or privately, our increasingly digital lives revolve around the exchange of data. In an increasingly digital world, the security and privacy of personal data have become critical concerns for individuals and organizations alike.
To address these concerns, regulations like the General Data Protection Regulation (GDPR) and international standard families like ISO 27000 have emerged.
And with so many regulations and standards in place, it can be easy to get overwhelmed by all the lawyer-speak. We’re going to break them all down so you can:
Understand GDPR compliance and ISO 27701 and ISO 27001 conformity.
Learn how GDPR and ISO are different but work together.
Discover how Dealfront’s go-to-market platform measures up to the strict EU standards.
Disclaimer: The information we’re offering here can serve as a helpful guide to understanding data protection and e-privacy restrictions. However, we are not offering any kind of legal advice. If you require legal advice after reading the information here, we recommend you consult a lawyer who can advise you and answer questions related to your specific situation.
What are GDPR and ISO?
You’re probably already familiar with the GDPR and ISO, but let’s take a quick look as a refresher!
What is the GDPR?
The EU rolled out the General Data Protection Regulation in 2016, and gave companies until May 25th, 2018 to comply. But what do the regulations actually entail?
The GDPR regulates the data protection principles and gives extensive rights to individuals that companies must respect.
You may think these regulations don't apply to you if you're outside the European Union. They do if you process the personal data of EU residents.
What is ISO?
The ISO is the International Organization for Standardization. The organization consists of nearly 170 national bodies that work together to outline the best way to do something.
Some of the most common ISO standards you might recognize are:
Health and Safety
Information security management
As you can see, the ISO plays an essential role in keeping things safe for businesses. When things are standardized, they become easier to monitor and maintain, and everyone has the same understanding.
What makes ISO 27001 & 27701 important?
The ISO 27000 family of standards cover the areas of IT security, cybersecurity, and privacy protection.
ISO 27001 is the most well-known information security management system (ISMS) standard. It exists to give businesses a way to conform to standard requirements in relation to their information security risks. Things like data theft or privacy breaches are huge risks for companies and their customers, so conforming with ISO 27001 means an organization has implemented best practices to ensure data security.
The key principles of ISO 27001 in the context of information security are:
Confidentiality - only authorized people have access to information in a company.
Information integrity - data accuracy is maintained throughout its lifecycle
Data availability - a business and its customers have access to information when it’s needed.
ISO 27701 is an extension of ISO 27001 and seeks to maintain and improve the Privacy Information Management System (PIMS). Specifically how privacy management is implemented in organizations.
The key principles of ISO 27701 in the context of information security are:
Protection of personal data assets - personal data collected by a business will be protected with technical and organizational measures (TOMs). The data will not be shared with third parties without the proper data subject notices. There will be protection against unauthorized access, modification or destruction of data.
Demonstrate compliance with applicable privacy regulations and laws - you show you’re willing to be accountable for all aspects of personal data handling.
Does ISO 27001 and 27701 certification mean GDPR compliance?
Many people, perhaps even you, have been told by other vendors that ISO certification equals 100% GDPR compliance. Is that true? Here’s what Hannah-Lee Wunderlich, General Counsel here at Dealfront, had to say about it:
ISO 27001, especially when combined with ISO 27701 certification, covers a significant part of GDPR compliance. Sure, they share the same goals: reducing risk and bolstering data security, but they aren’t the same. ISO certification (depending on your industry/field) is an optional component to reduce your information risks.
GDPR compliance, on the other hand, is mandatory if a company, even one located outside of the EU but offering goods or services in the EU (see Art. 3 Nr. 2 GDPR), processes the data of EU citizens.
In a nutshell:
GDPR compliance is mandatory for organizations processing the data of EU citizens.
ISO 27001 is an optional certification to support, NOT replace, your GDPR compliance goals. Its focus is on information security management.
ISO 27701 is an “add-on” to 27001. You will need to acquire ISO 27001 certification to attain ISO 27701 certification. It’s the certification most closely aligned with the GDPR.
How to find trustworthy vendors for your B2B needs
If a vendor has claimed they are GDPR compliant solely because they are ISO certified, they haven't done their due diligence. Here are 4 questions you can ask yourself when evaluating vendors:
Can you verify that the data is stored and processed within the EU?
Are the data sources fully transparent?
Does the data come from official and publicly available sources?
Will your own company’s data be secure within the vendor’s platform?
Now, you can take the evaluation of vendors into your own hands to see if they truly measure up to the standards and requirements.
Dealfront: Your secure and compliant GTM platform
The great news is: Dealfront checks all those boxes!
Dealfront is proud to be fully GDPR compliant and to have been granted both ISO 27001 & ISO 27701 certifications!
How you benefit from our GDPR compliance and ISO certification:
We are driven to provide you with the highest data security and privacy standards.
Our processes are tightly standardized with industry best practices.
Our processes are transparent, so you always know what is happening with your data.
Our implemented best practices are continuously improved and verified annually by an independent 3rd party
Our highest priority is giving you peace of mind so you can get back to the business of what you do best. So why put us to the test with your use cases, and sign up for a free trial right now!