ISO/IEC 27701: Threats and Opportunities for GDPR Certification

23 Pages Posted: 16 Mar 2020

Date Written: January 15, 2020


The paper assesses the possible consequences for Article 42/43 certification of the recently published ISO/IEC 27701:2019 standard. The new ISO standard establishes a management system that aims to manage ‘the processes for protecting the capture, accountability, availability, integrity, and confidentiality of personal data.’ The conformity with the standard’s requirements is certifiable by the private certification bodies interested in providing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification possesses many assets to dominate the market of data protection certification and, thus, compete with the approach supported by the European supervisory authorities on data protection. ISO based certification offers many operational advantages to businesses which are looking for a workable solution to streamline information security and data protection in their organization. In the meantime, the EU supervisory authorities are still wandering on the right option to approve certification schemes under Article 42/43 regime. A strong uptake of ISO/IEC 27701:2019 based certification alongside Article 42/43 certification could confuse the general public and eventually threaten Article 42/43 implementation. But it could also offer an opportunity to the European supervisory authorities to spread data protection principles beyond EU borders and clarify the relationships they intend to establish between Article 42/43 certification and ISO standards based one.

Keywords: Certification, ISO/IEC 27701:2019, Article 42 GDPR, Data Protection, Accountability, ISO standards, Self-regulation

Suggested Citation

Lachaud, Eric, ISO/IEC 27701: Threats and Opportunities for GDPR Certification (January 15, 2020). Available at SSRN: or

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics