With the entry into force of the General Data Protection Regulation (GDPR), many entities, as data controllers (RT), have been forced to implement security measures, both technical and organizational, taking into account the nature, scope, context and purposes of the processing as well as the risks of varying probability and severity for the rights and freedoms of natural persons (art.24), in such a way that HE ensure adequate security of personal data (art.32), including protection against unauthorized or illicit processing and against accidental loss, destruction or damage (Art.5).
ISO 27001
However, despite being mentioned in several articles, little or nothing is told about what security measures should be implemented to achieve the objective set by the GDPR. That is why the organizations have decided to go to international security frameworks and standards, as the ISO 27001 which, despite not being mandatory, has become in recent years a reference guide to introduce and implement systems of information security management.
ISO 27701
Recently, it has been published ISO 27701 about privacy information management. This standard is based on the requirements, control objectives and controls of the ISO 27001 standard and includes a set of privacy requirements, controls and control objectives, so that in the coming years organizations that already have ISO 27001 will be able to rely on this new framework to comply with the legal framework.
However, to demonstrate the degree of compliance with the GDPR It is not enough to implement each of the controls in isolation, but a risk analysis and also execute a action plan to address those risks and thus verify the maturity level of the measures implementeds, that is, assess its effectiveness and establish corrective and improvement plans. And, as we have seen, the best tool To achieve this goal is the ISO 27701.
Finally and in this sense, we must mention the recent STS 543/2022 which points out that, even if data controllers implement sufficient security measures, they may suffer security breaches, so Guaranteeing data security cannot be translated as an obligation of results, but of means. That is, those responsible for treatment have to do everything possible to prevent it from happening, even though the risk is never zero. And, to demonstrate that degree of involvement on the part of the person responsible, we will have no choice but turn to standards such as ISO 27701, a system recognized management internationally that can be audited and certified, such as GDPR compliance guarantee.