ISO/IEC 27701: Threats and opportunities for GDPR certification

Eric Lachaud

Research output: Contribution to journalArticleScientificpeer-review


The paper assesses the possible consequences for Article 42/43 certification of the publication of the ISO/IEC 27701:2019 standard. This new ISO standard establishes a management system that aims to manage ‘the processes for protecting the capture, accountability, availability, integrity, and confidentiality of personal data.’ The conformity with the standard’s requirements is certifiable by the private conformity assessment bodies interested in providing this service to businesses. The paper shows that ISO/IEC 27701:2019 based certification has many assets to dominate the market of data protection certification. It offers operational advantages to businesses that are looking for a readymade solution to streamline information security and data protection. A strong uptake of ISO/IEC 27701:2019 based certification could threaten Article 42/43 certification by creating two competing approaches of data protection compliance. But it could also offer the opportunity to improve the general level of data protection and encourage the European supervisory authorities to clarify the relationships they intend to establish with ISO privacy standards.
Original languageEnglish
Pages (from-to)194-210
Number of pages17
JournalEuropean Data Protection Law Review
Issue number2
Publication statusPublished - 15 Jun 2020


  • Certification
  • ISO/IEC 27701
  • Standards
  • Data Protection
  • Standardization
  • Self-regulation


Dive into the research topics of 'ISO/IEC 27701: Threats and opportunities for GDPR certification'. Together they form a unique fingerprint.

Cite this