News
GDPR versus ISO 27701
Although some jurisdiction such as EU's GDPR provide a mechanism for an organization to demonstrate its compliance to GDPR (Article 42 and 43), assessment programs representing this mechanism is not yet available. On the other hand, businesses would like to have confidence that their service providers are managing their privacy issues. Implementation of a Privacy Information Management System (PIMS) or certification to ISO/IEC 27701 is currently a good solution for a data controller to demonstrate to its directors and customers, and for a data processor to demonstrate to its customers that they are managing the issues.
Privacy professionals and consultants, when communicating with organizations, often run into an experience that many organizations took an ad hoc and fire-fighting approach on managing privacy protection. A privacy policy may have been developed and posted on the website, but there was no systematic management of privacy issues, e.g. the policies might be outdated and there was no owner to review and update them, the staffs lack privacy trainings that are appropriate for their roles and responsibilities, privacy is treated as an IT problem, there was no monitoring of how effective the policies are, etc. Privacy management, like financial management, quality management, safety management, etc. should be part of an organization's overall management strategy. As a result, a structural and holistic approach must be adopted. ISO/IEC 27701 is one such standard that provides a management framework for an organization to systematically manage its privacy issues.
ISO/IEC 27701:2019 Standard
The standard specifies the requirements and gives guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. In other words, the standard provides a management framework for managing the privacy issues within an organization.
The standard was written by ISO/JTC 1/SC 27, the same committee that prepared the widely-adopted ISO/IEC 27001 Information Security Management System standard.
The standard is designed to be implemented on top of ISO/IEC 27001 standard. The idea is that the ISO/IEC 27001 (Information Security) standard would provide the safeguarding framework for PII protection (e.g. data encryption, network protection, security policies, security awareness & training) while ISO/IEC 27701 (privacy management) would provide the processing and governance framework for PII management (e.g. consent, data minimization, data retention, data processing agreements, cross-border data transfer, etc.).
When the two standards are used together, the combination offers the following:
- The ISO/IEC 27001 provides a management framework and 114 controls on information security.
- The ISO/IEC 27701 provides:
- A requirement on data processing risk assessment
- 32 additional requirements on information security to supplement the 114 controls in ISO/IEC 27001 to strengthen the safeguarding of PII
- Annex A: 31 additional data processing controls targeted for PII controller
- Annex B: 18 additional data processing controls targeted for PII processor
A.7.2 | Conditions for collection and processing | 8 controls |
A.7.3 | Obligations to PII principals | 10 controls |
A.7.4 | Privacy by design and by privacy default | 9 controls |
A.7.5 | PII sharing, transfer and disclosure | 4 controls |
B.8.2 | Conditions for collection and processing | 6 controls |
B.8.3 | Obligations to PII principals | 1 controls |
B.8.4 | Privacy by design and by privacy default | 3 controls |
B.8.5 | PII sharing, transfer and disclosure | 8 controls |
Benefits of Establishing a PIMS according to ISO/IEC 27701
- Privacy management contains more issues than that can be resolved or controlled by IT alone. An organization-wide management system is needed.
- Privacy should be built into every process and management flow -- A PDCA (Plan-Do-Check-Act) approach is needed. A "gate-keeper" approach by simply having a series of policies (only D in the PDCA cycle) is not sufficient.
- Having a management framework to manage your privacy management issues. The framework provides an organization management tools such as policy, objectives, risk assessment, training and awareness, internal audits, etc to systematically manage the issues rather than looking at privacy management as technical matters only.
Certification
Once an organization establish a PIMS, the organization could consider requesting a certification body to assess its PIMS against the ISO/IEC 27701 standard. Upon successful certification, the organization will be awarded a certificate of compliance to ISO/IEC 27701. Successful certification means an organization is managing its privacy risks based on its determined privacy risks according to its applicable laws and regulations. Once certified, an organization is subject to a smaller-scale annual assessment every year and a re-certification every three-years to ensure its continuous compliance to the standard. This continuous assessment ensures the certified organization to maintain and improve the PIMS.
The certification of ISO/IEC 27701 is conducted by a certification body, often accredited by a national accreditation body such as UKAS (UK Accreditation Services) or ANAB (American National Accreditation Board).
The readers are reminded that the certification mentioned here is not the "EU GDPR Certification" as referenced in Articles 42 and 43 of the GDPR. The Certification stated in the GDPR would need to be reviewed and approved by the European Data Protection Board (EDPB). Successful certification to ISO/IEC 27701 does not relieve an organization's obligation to comply with relevant laws and regulations.
Benefits of Certifying to ISO/IEC 27701
- An objective way to demonstrate your organization's effort, capability, and results of meeting all applicable customer and regulatory privacy requirements.
- An achievement to show your current and future customers that your privacy management has attained world-class benchmark
- An opportunity to enhance your organization's privacy competence and awareness by having a 3rd party monitoring.
- An attraction to more businesses because of your organization's demonstration to respect privacy.
Conclusion
Although some jurisdiction such as EU's GDPR provide a mechanism for an organization to demonstrate its compliance to GDPR (Article 42 and 43), assessment programs representing this mechanism is not yet available. On the other hand, businesses would like to have confidence that their service providers are managing their privacy issues. Implementation of a Privacy Information Management System (PIMS) or certification to ISO/IEC 27701 is currently a good solution for a data controller to demonstrate to its directors and customers, and for a data processor to demonstrate to its customers that they are managing the issues.
Article provided by: Chris Yau (SGS Hong Kong Limited, Hong Kong)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010