The demand for guidance on privacy protection and personal information management is increasingly crucial, especially in light of the GDPR principles. Fortunately, there is a valuable resource in the form of ISO/IEC 27701:2019 (ISO 27701), an International Standard that outlines the management of personal information and the demonstration of compliance with global privacy regulations, including the GDPR principles. In this blog, we will present an overview of ISO 27701 and highlight the advantages of its implementation.
Purpose of ISO 27701
ISO 27701, with its full title "Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines," serves as a privacy extension to ISO 27001 and ISO 27002. It provides best practice guidelines and requirements for privacy information management.
One of the key benefits of ISO 27701 is its ability to simplify processes by integrating with ISO 27001. This integration eliminates the need for separate information security and privacy management systems, reducing complexity and streamlining operations.
ISO 27701 offers two options for compliance: organizations can either comply with the standard or pursue certification through an accredited certification body. Achieving certification provides stakeholders with an added level of assurance, as it involves an independent validation of an organization's privacy protection and personal information management practices. This certification demonstrates a commitment to privacy and can enhance trust with customers, partners, and other stakeholders.
Evidence of Compliance with Data Protection Regulations and Legislation
ISO 27701 offers a comprehensive framework for managing compliance with privacy regulations across different jurisdictions. Unlike the British Standard BS 10012, ISO 27701 is designed to be jurisdiction/legislation neutral, making it applicable to organizations operating in various legal frameworks.
One notable aspect of ISO 27701 is its alignment with the General Data Protection Regulation (GDPR). The standard includes an appendix that specifically maps its requirements to the GDPR, helping organizations ensure compliance with this important data protection regulation.
By complying with ISO 27701, organizations naturally generate documentation that demonstrates how they process personally identifiable information (PII). This documentation can be used as part of a privacy information management system (PIMS), which incorporates the protection of privacy affected by the processing of PII. Data protection managers can leverage the documentary evidence to provide assurance of compliance and effectively manage privacy risks.
In summary, ISO 27701 provides a jurisdiction-neutral approach to privacy management, aligns with the GDPR, and helps organizations establish a robust PIMS to protect privacy and comply with applicable regulations.
Assurance to Stakeholders
Indeed, ISO 27701 can play a crucial role in building trust and confidence among various stakeholders. By implementing and certifying your Privacy Information Management System (PIMS) according to ISO 27701 with an accredited certification body, you can provide tangible evidence of your organization's commitment to protecting personally identifiable information (PII).
Certification demonstrates that your PIMS adheres to the relevant privacy requirements outlined in ISO 27701. This can be particularly valuable if your organization acts as a PII processor, as you can use the certification to provide validated evidence to PII controllers (such as your customers) that you have implemented robust privacy controls and safeguards. This can enhance trust and assurance in your organization's ability to protect PII.
Additionally, certification can also be beneficial in demonstrating your organization's commitment to privacy and data protection to other stakeholders, including partners, shareholders, and regulatory authorities. It provides independent verification of your privacy management practices and can give stakeholders greater confidence in your organization's handling of personal information.
By leveraging ISO 27701 and obtaining certification, you can not only strengthen internal assurance and governance but also establish a competitive advantage by showcasing your organization's strong privacy practices and dedication to protecting PII.
Suitable for all Organisations
You are correct. ISO 27701 is designed to be applicable and adaptable to organizations of all sizes and across various industries. It recognizes the diverse nature of businesses and aims to provide guidance and requirements that can be implemented effectively regardless of the organization's specific context.
The standard's structure takes into account the roles of both PII controllers and PII processors. It provides separate guidance and requirements for each role, acknowledging their distinct responsibilities in managing and protecting personally identifiable information.
By differentiating the guidance for PII controllers and PII processors, ISO 27701 ensures that organizations can effectively address their specific obligations and concerns related to privacy information management. This enables organizations to tailor their implementation efforts according to their role in the processing of PII, promoting clarity and alignment with privacy regulations and best practices.
The versatility and clear differentiation of ISO 27701 make it a valuable tool for organizations seeking to establish and maintain robust privacy information management systems, regardless of their size, industry, or role in handling PII.
GDPR Certification?
You're correct that Article 42 of the GDPR introduces the concept of data protection certification mechanisms and data protection seals and marks. These mechanisms aim to provide organizations with a way to demonstrate their GDPR compliance with the GDPR's data protection requirements.
While ISO 27701 is not currently listed as a specific certification mechanism under the GDPR, it does offer a comprehensive framework for privacy information management that aligns with the GDPR and other privacy regulations. Achieving accredited certification to ISO 27701 can be a powerful way for organizations to demonstrate their commitment to GDPR compliance, protecting personally identifiable information (PII), and following international best practices in privacy management.
Even though ISO 27701 certification may not be formally adopted as a GDPR compliance certification mechanism, it can still be a highly effective and widely recognized method of showcasing an organization's dedication to privacy and data protection. It provides a robust framework and sets clear requirements for managing privacy information, which can be independently assessed and certified by accredited certification bodies.
By obtaining ISO 27701 certification, organizations can enhance their reputation, build trust with customers and stakeholders, and demonstrate their GDPR compliance with privacy regulations. It serves as tangible evidence of an organization's commitment to protecting PII and can provide assurance to customers, regulators, and other parties that privacy management is taken seriously.
While the adoption of ISO 27701 as a specific GDPR compliance certification mechanism remains to be seen, its value as a widely-applicable method for demonstrating best practices in PII protection should not be underestimated.
Do I Need to Implement or be Certified to ISO 27001 First?
That's correct. If an organization has already implemented an ISO 27001-compliant information security management system (ISMS), it provides a solid foundation for extending the management system to include the processing of personally identifiable information (PII) and developing a Privacy Information Management System (PIMS) in accordance with ISO 27701.
By leveraging the existing ISMS, organizations can streamline the implementation of privacy controls and align them with information security controls. The integration of the two management systems allows for a comprehensive approach to managing security and privacy risks.
On the other hand, if an organization has not yet implemented ISO 27001, they have the opportunity to implement a combined information security and privacy management system, integrating the requirements of both ISO 27001 and ISO 27701. This approach enables organizations to achieve certification for both standards simultaneously, demonstrating their commitment to both information security and privacy management.
Implementing a combined management system offers several benefits, including the efficient use of resources, streamlined processes, and a holistic approach to managing data protection and security. It provides a comprehensive framework for addressing both security and privacy requirements, helping organizations to protect PII and ensure compliance with applicable regulations.
Regardless of whether an organization already has an ISO 27001 ISMS or not, ISO 27701 offers a flexible approach to incorporating privacy management and can be implemented in a way that suits the organization's specific needs and objectives.