Article 42 of EU Regulation 679/16 on Data Protection states: ” The Member States, the supervisory authorities, the Board and the Commission shall encourage, in particular at Union level, the establishment of data protection certification mechanisms and of data protection seals and marks, for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors. The specific needs of micro, small and medium-sized enterprises shall be taken into account. ”
Both the Italian Supervisor and the European Data Protection Supervisor o have not yet explain the detail about application of this article, but the Italian Supervisor seems not to give any indication.
Meanwhile, at the end of August, was published the standard “Information Technology – Security Techniques – Code of Practice for Personally Identifiable Information Protection” or “Information Technology – Safety Techniques – Code of Practice for the Protection of personal informations”
The standard is an extension of the ISO / IEC 27002 controls to apply to a Certified Information Security Management System in accordance with ISO / IEC 27001 requirements.
For some of the controls already provided by ISO / IEC 27002, the standard ISO/IEC 29151 specified further instructions for implementation in Data Protection or so-called personal information. Additional controls are also reported than those already present in ISO / IEC 27002.
Specifically, the ISO / IEC 27002-based guidelines take into account the requirements for personal information processing that may be applicable in the context of an organization’s information risk environment
Therefore, ISO / IEC 29151: 2017 defines control objectives, controls and guidelines for the implementation of controls to meet the requirements identified by a risk assessment and impact assessment related to the protection of “identifiable personal information” (PII).
This Standard could be used by ISO / IEC 27001 Certified Organizations to extend their Statement of Applicability and could lead to ISO / IEC 27001 certifications based on the checks provided by ISO / IEC 27001 and ISO / IEC 29151 “so to a definite approach to Data Protection.
ISO / IEC 29151: 2017 applies to all types and sizes of organizations acting as Titles (or PII controllers as defined in the ISO / IEC 29100 standard that provides a framework for the protection of identifiable personal information), including public companies and private, government entities and non-profit organizations that handle personal data.
But it does not end here, ISO also has ISO / IEC 27552 on site, which will have to extend ISO / IEC 27001 so that it is dedicated to the protection of personal data. We have to say that work on this standard is still in the “Working Draft” and therefore we will have a few years left.
In the expectation of the Supervisors expressing this, we already have material to prepare for the certification of our Data Protection system.