ISO/IEC 27701: Threats and opportunities for GDPR certification

Research output: Working paperScientificpeer-review


The paper assesses the possible consequences on Article 42/ 43 certification of the recently published ISO/IEC 27701:2019 standard. The new ISO standard establishes a management system that aims to manage 'the processes for protecting the capture, accountability, availability, integrity, and confidentiality of personal data.' The conformity with the standard's requirements is certifiable by all private certification bodies interested in providing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification has many assets to dominate the market of data protection certification and, thus, compete with the approach supported by European supervisory authorities on data protection. ISO based certification offers operational advantages to businesses that are looking for a workable solution to streamline information security and data protection in their organization. In the meantime, the EU supervisory authorities are still wandering on the right option to approve certification schemes under Article 42/43 regime. A strong uptake of ISO/IEC 27701:2019 based certification alongside Article 42/43 certification could be confusing for the general public and eventually threaten Article 42/43 implementation. But it could also offer an interesting opportunity to the European supervisory authorities to spread data protection principles beyond the EU borders and clarify the relationships they intend to establish between Article 42/43 certification and ISO standards based one.
Original languageEnglish
Number of pages23
Publication statusSubmitted - 1 Mar 2020



  • Certification
  • ISO/IEC 27701
  • Standards
  • Data Protection

Cite this