2024 has been a busy year for Zoocha, marked by a series of significant milestones in our ongoing commitment to continuous improvement. This week, we are thrilled to announce that we have achieved yet another ISO certification: ISO 27701:2019 for Privacy Information Management.
This latest addition to our roster of ISO certifications underscores our dedication to safeguarding privacy and strengthening our data protection practices. As with our other UKAS rated ISO certifications (9001, 14001, 22301, 27001), the scope of this ISO 27701 Privacy Information Management certification is for all Zoocha Group service delivery activity:
“The design, development, maintenance, and support related to Drupal web applications, and other software engineering related services, including cloud hosting, software, and support.”
Strengthening Our Commitment to Privacy
Achieving the ISO 27701:2019 certification is a testament to our thorough approach to privacy management. This standard, often referred to as the Privacy Information Management System (PIMS), builds on the robust foundation of ISO 27001, focusing specifically on managing personal data. By integrating ISO 27701 into our existing Information Security Management System (ISMS), we are not only enhancing our compliance framework, but also reinforcing our commitment to privacy by design.
The level of effort in achieving this new certification was high, with work originally starting on this at the beginning of 2023. Some of the key changes in the Zoocha Business Management System include:
- Privacy Impact Assessments (PIA’s) for all Zoocha systems and suppliers, including any remedial work
- Established thorough records of data processing and conducting privacy focussed risk assessments
- Defining data subject rights procedures
- Evolving and defining a complete set of privacy notices and policies
- Defining data processing agreements
- Creating a comprehensive data retention policy and schedule
- Performing legitimate interests assessments
- Various privacy focussed improvements to our project and support processes
- Enhancing our Drupal and infrastructure non-functional requirements with privacy focussed elements
- Putting in place processes and procedures to ensure that all of the above is maintained
- Training the Zoocha team on all of the above!
GDPR Compliance and Beyond
In the current digital landscape, adherence to regulations such as the General Data Protection Regulation (GDPR) is crucial. ISO 27701 provides a framework that aligns with GDPR requirements, ensuring that Zoocha processes and policies are designed to protect personal data at every stage. This certification demonstrates our proactive approach to privacy, guaranteeing that our clients and partners can trust us with their sensitive information.
Privacy by Design in Our SDLC
At Zoocha, we have always prioritised “privacy by design” in our Drupal focussed Software Development Life Cycle (SDLC). Achieving ISO 27701 certification reaffirms our dedication to embedding privacy considerations into every aspect of our Drupal development process. From initial planning through to development, and on to deployment and maintenance, our team adheres to stringent privacy protocols, ensuring that data protection is an integral part of our projects.
Adoption of ICO Best Practices and Guidelines
Our journey towards ISO 27701 certification has involved studying the material released by the Information Commissioner's Office (ICO) to ensure that our practices meet the highest standards of data protection. The ICO’s resources have been key in refining our policies and enhancing our understanding of privacy management. Aligning Zoocha processes and procedures with the ICO's guidelines will make it easier for Zoocha to evolve in line with the latest regulations and best practices.
Looking Ahead
Achieving ISO 27701 is a significant milestone, but it is not the end of our journey. At Zoocha, we remain committed to continuous improvement and innovation in privacy management. We will continue to invest in our people, processes, and technologies to ensure that we stay at the forefront of data protection. Particularly pleasing to note in this regard was some of the feedback from the external certification body assessor, which was included within our Stage 2 "Recommendation for Certification" report:
(GP-001) Good practice: The leadership and commitment at Zoocha, particularly evidenced through the efforts of David Pratt, the CTO, are exemplary. The consistent communication and integration of privacy, information security, quality, and environmental standards into the organisational culture highlight the organisation's dedication to maintaining and improving its PIMS. This positive finding underlines Zoocha’s alignment with the requirements of Clause 5.3.1 of the ISO 27701 standard.