CALL US TODAY: 0203 983 8278
Home // Privacy management: should your business adopt new ISO?

Most of us are now aware of the challenges posed to every business by inadequate privacy information management. The Information Commissioner’s Office (ICO) continues to impose significant fines on organisations of all kinds. Recently, for example, it has taken action against and imposed significant fines on an estate agency, a mobile phone operator and a London borough council. So compliance with GDPR – and demonstrating compliance – matters now more than ever.

If you need guidance regarding data protection and privacy, contact our privacy solicitors London on 0203 983 8278 or contact us online.


At Nath Solicitors, we advise a wide range of start-ups and small and medium-sized businesses on GDPR compliance matters. With several bespoke GDPR compliance packages available we help businesses in London and across the UK reduce the risk of data breaches that could result in regulatory intervention. For more information call Shubha Nath on 44 (0) 203 670 5540 or contact the firm online.


Data security is an increasing concern. According to a 2018 World Economic Report cyber attacks on business have doubled in the last five years. Increased awareness of the importance of data security following the launch of GDPR can help minimise the risks of breaches as we mentioned above. But businesses can take further steps.

An increasingly used tool for businesses to reduce the risk of data security breaches within their organisations is the 27701 – a worldwide compliance standard that has recently been extended and updated. ISO 27701 is a recognised international standard to help companies manage the information they hold on individuals and meet regulatory obligations such as GDPR.


The popularity of this type of certification internationally can’t be underestimated. In the USA, for example, take-up of ISO 27701 by businesses alert to the dangers of poor privacy information management is above 90%. So what does adoption of ISO 27701 entail?

Key elements of ISO 27701 include:

  • Specification of the requirements for establishing, implementing and continually improving a privacy-specific information security management system.
  • An emphasis on the importance of adopting a privacy management system that is capable of evolving to meet the face of ever-changing technology.
  • Tailored guidance for data processors and controllers within organisations

Implementing ISO 27701 is not an easy task. It’s important that the relevant personnel within your organisation are familiar with the requirements and that staff receive appropriate training on ISO 27701 compliance. Certification will involve risk assessments, internal audits and accurate scoping of the ISO 27701 project. The documentation and processes you will be required to develop and complete include:

  • An information security policy
  • Information security risk assessment process
  • Information security objectives
  • A documented internal audit process
  • Evidence of the nature of breaches and any subsequent actions taken
  • Evidence of the results of any corrective actions taken

Once an organisation is ISO 27701 certified it must continually review the effectiveness of its processes and compliance.


Adoption of the ISO 27701 standard is an entirely voluntary decision for your business. And while some of what we have outlined here may appear daunting, the benefits of an ISO 27701 certification are enormous. It indicates to the ICO that you take data security seriously and it signals to the world that you are a business that values the personal information of clients. And remember ISO 27701 is aimed at businesses of all sizes and in all sectors, not just large multinationals. For smaller enterprises, there are invaluable resources available online and elsewhere to help you implement the standard.

Ultimately organisations must weigh up any potential benefits that ISO 27701 will bring them against any additional costs incurred. For some ISO 27701 will be a good framework to help them improve their systems. For others that have already proactively improved their privacy management systems, ISO 27701 may not be essential. And advice from information lawyers like ourselves can ensure you concentrate on implementing a scheme that is proportionate and appropriate for your business.

To discuss how we can assist you, call our London office on 0203 983 8278 or contact us online.


    I accept the privacy policy

    To prove you are not a robot, please answer the following question:


    Copyright. Nath Solicitors Limited. Registered in England and Wales. Company Number: 08724944. VAT number: 207490711. Office Located at: 35 Berkeley Square, London, W1J 5BF. Nath Solicitors Limited is authorised and regulated by the Solicitors Regulatory Authority. Registration number 608014. Terms Of Use. Privacy Policy. Cookies Policy. Complaints Procedure.