Privacy professionals and consultants, when communicating with organizations, often run into an experience that many organizations took an ad hoc and fire-fighting approach on managing privacy protection. A privacy policy may have been developed and posted on the website, but there was no systematic management of privacy issues, e.g. the policies might be outdated and there was no owner to review and update them, the staffs lack privacy trainings that are appropriate for their roles and responsibilities, privacy is treated as an IT problem, there was no monitoring of how effective the policies are, etc. Privacy management, like financial management, quality management, safety management, etc. should be part of an organization's overall management strategy. As a result, a structural and holistic approach must be adopted. ISO/IEC 27701 is one such standard that provides a management framework for an organization to systematically manage its privacy issues.
ISO/IEC 27701:2019 Standard
The standard specifies the requirements and gives guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. In other words, the standard provides a management framework for managing the privacy issues within an organization.
The standard was written by ISO/JTC 1/SC 27, the same committee that prepared the widely-adopted ISO/IEC 27001 Information Security Management System standard.
The standard is designed to be implemented on top of ISO/IEC 27001 standard. The idea is that the ISO/IEC 27001 (Information Security) standard would provide the safeguarding framework for PII protection (e.g. data encryption, network protection, security policies, security awareness & training) while ISO/IEC 27701 (privacy management) would provide the processing and governance framework for PII management (e.g. consent, data minimization, data retention, data processing agreements, cross-border data transfer, etc.).
When the two standards are used together, the combination offers the following:
- The ISO/IEC 27001 provides a management framework and 114 controls on information security.
- The ISO/IEC 27701 provides:
- A requirement on data processing risk assessment
- 32 additional requirements on information security to supplement the 114 controls in ISO/IEC 27001 to strengthen the safeguarding of PII
- Annex A: 31 additional data processing controls targeted for PII controller
- Annex B: 18 additional data processing controls targeted for PII processor
Annex A: controls targeted for PII controller
A.7.2 | Conditions for collection and processing | 8 controls |
A.7.3 | Obligations to PII principals | 10 controls |
A.7.4 | Privacy by design and by privacy default | 9 controls |
A.7.5 | PII sharing, transfer and disclosure | 4 controls |
Annex B: controls targeted for PII processor
B.8.2 | Conditions for collection and processing | 6 controls |
B.8.3 | Obligations to PII principals | 1 controls |
B.8.4 | Privacy by design and by privacy default | 3 controls |
B.8.5 | PII sharing, transfer and disclosure | 8 controls |
Benefits of Establishing a PIMS according to ISO/IEC 27701
- Privacy management contains more issues than that can be resolved or controlled by IT alone. An organization-wide management system is needed.
- Privacy should be built into every process and management flow -- A PDCA (Plan-Do-Check-Act) approach is needed. A "gate-keeper" approach by simply having a series of policies (only D in the PDCA cycle) is not sufficient.
- Having a management framework to manage your privacy management issues. The framework provides an organization management tools such as policy, objectives, risk assessment, training and awareness, internal audits, etc to systematically manage the issues rather than looking at privacy management as technical matters only.
Certification
Once an organization establish a PIMS, the organization could consider requesting a certification body to assess its PIMS against the ISO/IEC 27701 standard. Upon successful certification, the organization will be awarded a certificate of compliance to ISO/IEC 27701. Successful certification means an organization is managing its privacy risks based on its determined privacy risks according to its applicable laws and regulations. Once certified, an organization is subject to a smaller-scale annual assessment every year and a re-certification every three-years to ensure its continuous compliance to the standard. This continuous assessment ensures the certified organization to maintain and improve the PIMS.
The certification of ISO/IEC 27701 is conducted by a certification body, often accredited by a national accreditation body such as UKAS (UK Accreditation Services) or ANAB (American National Accreditation Board).
The readers are reminded that the certification mentioned here is not the "EU GDPR Certification" as referenced in Articles 42 and 43 of the GDPR. The Certification stated in the GDPR would need to be reviewed and approved by the European Data Protection Board (EDPB). Successful certification to ISO/IEC 27701 does not relieve an organization's obligation to comply with relevant laws and regulations.
Benefits of Certifying to ISO/IEC 27701
- An objective way to demonstrate your organization's effort, capability, and results of meeting all applicable customer and regulatory privacy requirements.
- An achievement to show your current and future customers that your privacy management has attained world-class benchmark
- An opportunity to enhance your organization's privacy competence and awareness by having a 3rd party monitoring.
- An attraction to more businesses because of your organization's demonstration to respect privacy.
Conclusion
Although some jurisdiction such as EU's GDPR provide a mechanism for an organization to demonstrate its compliance to GDPR (Article 42 and 43), assessment programs representing this mechanism is not yet available. On the other hand, businesses would like to have confidence that their service providers are managing their privacy issues. Implementation of a Privacy Information Management System (PIMS) or certification to ISO/IEC 27701 is currently a good solution for a data controller to demonstrate to its directors and customers, and for a data processor to demonstrate to its customers that they are managing the issues.
Article provided by: Chris Yau (SGS Hong Kong Limited, Hong Kong)
Discover more about INPLP, the INPLP-Members and the GDPR-FINE database
Dr. Tobias Höllwarth (Managing Director INPLP)