The Great Privacy Comparison: ISO Standards Take on Europe's GDPR Requirements

Table of Links

Abstract and 1 Introduction

2 Overview of ISO/IEC TS 27560:2023

3 Comparing ISO-27560, ISO-29184, and GDPR

4 Consent Records and Receipts using DPV

5 Supporting GDPR and DGA

6 Implementation Considerations and Future Work

6.1 Trust and Security

6.2 Using Records and Receipts with eIDAS and EUDI Wallet

6.3 Standard for PII Processing Record Information and 6.4 Technical Considerations in Managing Records and Receipts

6.5 IEEE P7012 Machine-Readable Privacy Terms

7 Conclusion and References

A Example of Consent Record with both required and optional fields

B Example of Consent Receipt with required fields from consent record

3 Comparing ISO-27560, ISO-29184, and GDPR

ISO-27560 uses prior terminology established in ISO standards, primarily defined in ISO/IEC 29100:2011 Privacy Framework [4]. To support readers unfamiliar with the ISO terminology, table 1 provides a mapping between ISO-29100 and GDPR terminology regarding the fundamental concepts associated with personal data processing. Note that this mapping only provides relevant concepts and does not indicate that the concepts are interpreted in the exact same way - for example Sensitive PII in ISO terminology is similar to Special Category personal data under GDPR, but they cannot be used interchangeably. Therefore, when applying ISO standards to GDPR, such mappings are indicative of which concepts should be (re-)interpreted with GDPR’s definitions and requirements.

In prior work [13], we analysed and compared ISO-29184 requirements for notice and consent with those in GDPR to understand the extent to which ISO-29184 standard can be applied to demonstrate compliance with the requirements of the GDPR. We also explored the possibility of using ISO-29184 certifications under GDPR for consent and notice. In continuation of that work, table 2 compares ISO-27560 for consent information and ISO-29184 for privacy notice information with the requirements under GDPR to provide a holistic view of how the two standards can be used to address GDPR’s requirements. In this, it is important to note that unlike ISO-29184 which is an international standard, ISO-27560 is what ISO terms a Technical Specification (TS) which only provides guidance and is intended to obtain feedback to create a (future) international standard.