5 minute read 3 Mar 2020
Woman standing in the aisle of server room

How GDPR compliance demands have shifted the focus to certification

By Peter Katko

EY Global Digital Law Leader

Leader in digital law, providing legal approaches for designing digital transformation in a legally compliant way.

5 minute read 3 Mar 2020
Related topics Tax Digital Law

The new global standard may help provide certification across many of the requirements of the EU’s General Data Protection Regulation.

As we approach the first anniversary of implementation of the EU’s General Data Protection Regulation (GDPR), and I prepare to speak at a BSI event in London examining the potential impact of ISO 27552, I thought it worth examining the new standard in a GDPR-specific context. I have thus made a number of key observations.

The GDPR ‘narrative’ has changed

In the lead-up to GDPR implementation, the main trigger for businesses becoming compliant – and certainly the one thing that attracted the most headlines – was the potential for fines for non-compliance of up to €20m or 4% of global revenue. While there weren’t many fines from day one, we have seen businesses of all types and sizes subsequently penalized for breaching GDPR in a variety of ways.

What has become evident in the 12 months since GDPR was introduced is that it is demanding in its requirements. Not only is there the principle of accountability – making certain that data is not misused – but businesses must also actively be in a position to prove how they set up processes, procedures and policies to comply with the law.

Because of the complexities involved in GDPR compliance, the focus has shifted to certification – enabling businesses to prove that they are meeting at least some of its requirements.

ISO 27001 acted as a starting point for GDPR compliance

Unfortunately, as yet, there is not one catch-all international standard that proves GDPR compliance. So, despite some businesses disingenuously advertising services to the contrary, there is not yet an official full GDPR certification. There are, however, standards that help comply with aspects of GPDR.

Most notable among these is ISO 27001, the framework of which provides a crossover with GDPR requirements. ISO 27001 is the international standard that describes best practice for an information security management system (ISMS). Importantly, it provides evidence that measures have been taken to comply with the data security requirements of GDPR.

ISO 27552 takes us a step closer to GDPR certification

While ISO 27001 is internationally recognized, it only goes part-way when it comes to GPDR compliance. A new standard – ISO 27552 – aims to provide certification that is more aligned with the regulation.

Currently under development, and expected to be published in Q4 2019 at the earliest, ISO 27552 will be an extension of ISO 27001, adding a framework of privacy-related controls and best practices. It supplements the ISMS with a privacy information management system (PIMS) and, importantly, it will map privacy-related controls to GDPR.

ISO 27552 has, surprisingly, largely flown under the radar until now, but we expect that it will quickly gain recognition among people in the industry and the compliance ecosystem. Significantly, it will be able to be used as one single control to comply with multiple privacy regulations, not just GDPR.

ISO 27552 extends beyond the EU

One of the key aspects of the new standard is that it will be recognized globally, which is significant when engaging service providers outside the EU.

For example, if a business transfers data outside the region – and that can be as simple as using Google Analytics on a website – it raises issues of data protection and falls under GDPR rules. To be compliant, the business would normally need to put mitigating measures in place to justify the transfers – be that through so-called standard contractual clauses or binding corporate rules, in the case of intra-company transfers. These can be burdensome and complicated to agree upon.

ISO 27552 will obviate the need for such agreements – so certification can provide a new, easier instrument to justify international data flow both inside or outside a group of companies.

Not only will ISO 27552 be an international standard that helps to demonstrate accountability, it will also help to contest sanctions by authorities because a business will be able to use it to prove it is GDPR-compliant (with some exceptions and the caveat that human error is always possible).

We are never likely to have full GDPR certification

Ultimately, while ISO 27552 is a major step forward, GDPR is a complex and severe piece of regulation, and there are aspects that can’t be covered by new standards. Take, for example, data portability under GDPR, which provides the right to transfer data from one organization to another, such as from Facebook to another social media provider.

Data portability is one of the fundamental data subject rights in GDPR, yet it is hard to envisage a global standard because the cultures of law across countries are too different. For example, the US is not renowned for its approach to privacy and data protection when compared with other countries.

The GDPR landscape will keep changing

While GDPR is in place to protect personal data, it is also there to enable the free flow of data, and of goods and services, across the EU.

Brexit creates an interesting scenario in that the UK is set to become a third country with the EU and won’t benefit from this free flow any more, meaning it will require mitigating measures. ISO 27552 can, from a data perspective at least, be an instrument for UK companies to keep things up and running.

This, in itself, points to the importance of certification, which can provide some certainty and stability in an ever-changing international landscape.

A year on from implementation of GDPR, authorities are becoming more aggressive in terms of fines. ISO 27552 certification, at the very least, will demonstrate compliance with considerable parts of the regulation and can help businesses prove accountability and be an element in contesting such fines if they occur.

Peter Katko will be chairing a panel session at the forthcoming BSI event ‘Privacy – Raising the Standard’ on 25 June 2019 at The British Academy, Carlton House Terrace, St James’s, London SW1Y 5AH.


In the 12 months since GDPR was introduced, its demanding requirements have become all too evident. Not only is there the principle of accountability, making certain that data is not misused. Businesses must also actively be in a position to prove how they set up processes, procedures and policies to comply with the law.

About this article

By Peter Katko

EY Global Digital Law Leader

Leader in digital law, providing legal approaches for designing digital transformation in a legally compliant way.

Related topics Tax Digital Law