Does ISO 27701 cover GDPR and other Local Privacy Laws – a case of Kenya and Tanzania

Does ISO 27701 Cover GDPR and Other Local Privacy Laws?

ISO 27701 is a standard that provides guidelines for establishing and managing a Privacy Information Management System (PIMS) within an organization. As an extension of the ISO 27001 and ISO 27002 standards, it specifically focuses on privacy information management. On the other hand, the General Data Protection Regulation (GDPR) is a law enacted by the European Union (EU) aimed at protecting the personal data of individuals within the EU. The GDPR sets out guidelines for processing the personal data of EU residents, regardless of where the processing occurs globally. Additionally, many countries have implemented their own privacy regulations tailored to their contexts to safeguard their citizens’ personal information.

While ISO 27701, GDPR, and other privacy laws share the common goal of protecting personal data based on privacy principles, ISO 27701 is an international standard and best practice framework. It does not directly reference or limit itself to any single regulation. Instead, ISO 27701 is adaptable to various local privacy laws, aiming to align with and support compliance with these regulations.

The table below demonstrates how implementing ISO 27701 supports and aligns with the requirements of GDPR and two local privacy laws: Kenya’s Data Protection Act 2019 and Tanzania’s Data Protection Act 2022. These comparisons are made across key data privacy domains.

Key Data Privacy Elements	ISO 27701	GDPR	Kenya DPA 2019	Tanzania DPA 2022
1. Scope and Applicability	Provides guidelines for establishing, implementing, maintaining, and continually improving a PIMS. It applies to all organizations, regardless of size or industry. (Clause 1: Scope)	Defines the material and territorial scope of GDPR, covering the processing of personal data within the EU and by entities outside the EU when processing data of EU residents. (Article 2 and 3: Material and Territorial Scope)	Covers data processing by data controllers or processors established in Kenya or processing data of Kenyan residents. (Section 4: Application)	Applies to both public and private institutions that collect and process personal data in Tanzania. (Part 1: Application)
2. Data Subject Rights	Provides guidelines for managing data subject rights, including access, correction, deletion, and data portability. (Clause 7.3 and 8.3: Obligations to PII Principles)	Grants rights such as access, rectification, erasure, restriction of processing, data portability, and objection to processing. (Article 12-23: Rights of the data subject)	Ensures rights to access, correct, delete, and object to data processing. (Section 26: Rights of a data subject)	Recognizes the rights of data subjects, ensuring they can access, correct, and request deletion of their personal data. (Part 3: Procedures of enforcing rights of data subjects)
3. Data Processing Principles	Outlines principles like lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality. (Clause 7.4: Privacy by design and by default)	Defines six lawful bases for processing data, including consent, contract, legal obligation, vital interests, public task, and legitimate interests. (Article 5-11: Principles)	Aligns with GDPR by requiring lawful basis for data processing, such as consent or legal obligation. (Section 25: Principles of personal data protection)	Similarly mandates that personal data be processed lawfully, fairly, transparently, and securely. (Part 5: Obligations of data controllers and data processors)
4. Security Measures	Requires organizations to implement technical and organizational measures to ensure data security. (Clause 6: Specific guidance related to ISO/IEC 27002)	Requires security measures like encryption and pseudonymization. (Section 2: Security of Personal Data)	Mandates necessary security measures to protect personal data. (Section 41: Data Protection by Design and Default)	Requires adequate security measures to protect personal data. (Part 5: Obligations of data controllers and data processors)
5. Accountability	Establishes a framework for accountability, defining roles and responsibilities, including the appointment of Data Protection Officers (DPOs). (Clause 7: Obligations for PII Controllers, Clause 8: Obligations for PII Processors)	Requires accountability measures like Data Protection Impact Assessments (DPIAs), record-keeping, and DPO appointments. (Section 3: Data Protection Impact Assessment and prior consultation, Section 4: Data Protection Officer)	Emphasizes accountability, requiring DPO appointments, records of processing activities, and DPIAs. (Section 18: Registration of data controllers and processors, Section 24: Designation of the Data Protection Officer)	Holds data controllers and processors accountable for compliance and data protection. (Part 2: Procedure for registration of data controllers and data processors)
6. Transfer of Data Outside the Country	Provides guidelines for data transfers, requiring compliance with local privacy laws when transferring personal data across jurisdictions. (Clause 7.5: PII sharing, transfer, and disclosure)	Regulates international data transfers, allowing them only with adequate safeguards. (Article 44-50: Transfer of personal data to third party countries or international organizations)	Restricts data transfers unless the recipient country offers adequate protection or safeguards. (Part 5: Transfer of personal data outside Kenya)	Provides guidelines for transferring personal data outside Tanzania. (Part 4: Procedure for transfer of personal data outside the country)
7. Data Breach Notification	Recommends procedures for managing and reporting data breaches to ensure timely communication with affected parties and authorities. (Clause 6.13: Information security incident management)	Requires reporting data breaches to the supervisory authority within 72 hours and notifying affected individuals. (Article 33 and 34: Notification of a personal data breach)	Includes provisions for notifying the Data Protection Commissioner within 72 hours and informing affected individuals. (Section 29: Duty to notify)	Expected to include breach notification requirements for transparency and accountability. (Section 27(5): Principle of security of personal data)

ISO/IEC 27701:2019 was developed with consideration of existing privacy laws and regulations, covering many of their requirements and specifications. By implementing ISO/IEC 27701:2019, your organization will likely meet most applicable local and international privacy laws and regulations by default. This implementation will enable your organization to comply with legal requirements as well as contractual obligations enforced by customers, partners, or suppliers. However, some specific requirements may still need to be addressed, though these would typically represent the bare minimum.re still the bare minimum.

Conclusion

In summary, ISO 27701 serves as a comprehensive framework for managing privacy information that aligns with global privacy regulations, including GDPR and local laws such as Kenya’s Data Protection Act 2019 and Tanzania’s Data Protection Act 2022. Implementing ISO/IEC 27701:2019 ensures that your organization is well-positioned to meet these stringent data protection requirements, offering a robust approach to safeguarding personal data and maintaining compliance.

However, navigating the complexities of these standards and laws can be challenging. That’s where Sentinel Africa comes in. We specialize in helping organizations implement ISO 27701 and achieve compliance with local and international privacy laws. Our expert team is here to guide you through the process, ensuring your organization is fully compliant and protected.

Call to Action:

Don’t leave your data protection to chance. Contact Sentinel Africa today to learn how we can help you implement ISO 27701 and achieve compliance with GDPR and local privacy regulations. Secure your organization’s future by aligning with the best practices in data privacy management.