ISO/IEC 27701:2019 (formerly known as ISO/IEC 27552 during the drafting period) is a privacy extension to ISO/IEC 27001. The design goal is to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish and maintain a Privacy Information Management System (PIMS). The standard outlines a privacy framework for Personally Identifiable Information (PII) Controllers and PII Processors to help better respect the privacy rights of individuals and reduce the risk of a privacy breach.
ISO/IEC 27701 is intended to be a certifiable extension to ISO/IEC 27001 certifications. In other words, organizations planning to seek an ISO/IEC 27701 certification will also need to have an ISO/IEC 27001 certification.
There are several advantages to considering the standard, including:
- A robust PIMS helps achieve compliance with privacy requirements, such as those espoused in privacy laws and regulations, third party contracts/data processing agreements, and corporate privacy policies. ISO/IEC 27701 can lead organizations down the path towards an effective privacy framework that eases the compliance burden when operating in several jurisdictions or when data subjects are all over the world.
- Achieving and maintaining compliance with applicable requirements is a governance and assurance issue. The PIMS allows Privacy or Data Protection Officers to provide the necessary evidence to assure stakeholders such as senior management, owners and the authorities that applicable privacy requirements are satisfied.
- PIMS certification can be valuable in communicating privacy compliance to customers and partners. PII Controllers generally demand evidence from PII Processors that the PII Processors’ privacy management system adheres to applicable privacy requirements. An international standard can greatly simplify such communication of compliance transparency, especially when the evidence is validated by an accredited third-party auditor. This necessity for compliance transparency is also critical for strategic business decisions such as mergers and acquisitions and co-Controllers scenarios involving data sharing agreements.
As ISO/IEC 27701 becomes better known and internationally acknowledged, PIMS certification can potentially serve to signal trustworthiness to the public, and may even serve as the basis for a GDPR certification mechanism (Article 42 of the GDPR).
To briefly gloss over some of the content, the approach in ISO/IEC 27701 to risk management is certainly worth highlighting. The standard contains guidance with respect to performing privacy impact assessments and implementing Privacy by Design measures. Also, the Annex A controls of ISO 27001 are expanded upon to include additional security awareness of data breach incident reporting and the need for information classification systems to explicitly consider PII.
Ofcourse implementation of a PIMS does not require certification and can certainly serve as a valuable starting point to mature organizational privacy processes. For more information on ISO/IEC 27701 or to discuss the usefulness of the standard for your organization, contact PRIVATECH.