Following the General Data Protection Regulation (GDPR) and many other similar privacy laws and regulations being introduced around the world, there has been an increasing need for a standard or certification that organisations can use to demonstrate compliance with data privacy best practice.
ISO 27701, released in August of 2019, seeks to fill this gap. ISO 27701 is an extension of ISO 27001 which means that organisations intending to implement ISO 27701 certification must have ISO 27001, or complete both standards simultaneously. It provides an international approach to privacy protection as a component of information security management.
ISO 27701 can be viewed as a privacy best practice guide to policies and procedures that should be in place to comply with GDPR and other data protection/privacy regulations and international laws. It details operational checklists that can be adapted to a variety of regulations, including GDPR.
Companies can document their policies, processes and procedures, in line with the standard’s checklists which when put into operation will provide evidence of a best practice approach. This can be audited by internal and third-party auditors, resulting in detailed proof of compliance with the standard.
Compliance with ISO 27701 helps companies maintain an effective privacy and information security system and reduce privacy risks. It is also a great way to demonstrate to consumers, external organisations and other stakeholders, that controls are in place to keep data safe and to comply with GDPR and other privacy laws.
Why was the ISO 27701 standard introduced?
ISO 27701 was created to establish the parameters for a Personal Information Management System (PIMS) in terms of privacy protection and processing personally identifiable information (PII). It provides a standard for data privacy controls, which, when coupled with an Information Security Management System (ISMS), allows an organisation to demonstrate effective data privacy management.
The Data Protection Act (DPA) came into force to regulate how personal or consumer data is used by companies and other organisation. It safeguards individuals and establishes guidelines for the use of personal data.
The General Data Protection Regulation (GDPR) seeks to establish a common set of data protection laws for all EU member states. Even if they are not in the country where their data is stored, GDPR makes it easier for EU citizens to understand how their data is being used and to file any complaints, should they have a problem with how their information is used.
The ISO 27701 Standard provides the framework for assisting, guiding, and demonstrating compliance with the DPA, GDPR and similar laws and regulations.
Personally Identifiable Information (PII)
Personally identifiable information is data that can be used to identify a person. By itself, the information may not necessarily be sensitive but, when used in context, or combined with other information may result in a risk to the right and freedoms of an individual.
Personally identifiable information could include a person’s name, address, date of birth, national insurance number, phone number, email address, bank details and so on. PII can also be electronic identifiers, like IP addresses, geo location tags and ID numbers.
What is a PIMS?
A Privacy Information Management System covers the systems an organisation has in place for collecting, processing, storing, and deleting personally identifiable information (PII). The main objective of a PIMS is to ensure that the organisation has the right controls in place to maintain legal compliance in relation to the handling of personal data.
Putting in place a privacy information management system ensures that organisations comply with regulations like GDPR. The penalty for breaching data protection legislation in the UK and EU can be significant. The maximum fine is €20 million or 4% of total worldwide turnover (whichever is higher).
How does ISO 27701 work with other ISO Standards
ISO 27701 is an extension of ISO/IEC 27001, which is one of the most widely used international standards for information security management. If your organisation is already aligned with ISO/IEC 27001, integrating the new privacy controls of PIMS may be relatively straightforward.
ISO 27701 also relates to other ISO standards, like ISO 27002(Information Security Controls) and ISO 29100 (Information technology — Security techniques). ISO 27701 adds a data privacy layer to previous information security standards. If you are already operating in line with these other ISO standards, you may be covering some aspect of ISO 27701 already.
If you think your business could be affected by any of the privacy or security issue discussed above, KRYPSYS may be able to help. Please feel free to contact us at www.krypsys.com/contact-us/