Regulatory changes, new policies and protections, and some technology solutions are now in place to confront these challenges, mitigate the damage—as awareness and concerns about the collection, storage and use of personal information continues to grow. The State of California, for instance, enacted its Consumer Privacy Act last year, and the European Union introduced the General Data Protection Regulation, which provides a harmonization of data privacy laws across member nations.
Along with these regulatory and policy changes, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) last year released ISO/IEC 27701 for Privacy Information Management Systems (PIMS). The international standard uses frameworks to define how organizations should manage and protect personal information and how to comply with updated privacy regulations around the world. Like many ISO standards, certification to ISO/IEC 27701 can be a useful tool for organizations to add credibility to a commitment to privacy and data protection.
ISO/IEC 27701 In Context
Many organizations have implemented an Information Security Management System (ISMS) based on another ISO standard, ISO/IEC 27001 and using guidance from ISO/IEC 27002. PIMS is built on ISO/IEC 27001 and can be the logical, practical and efficient means to integrate the new privacy controls. In short, because it’s in the ISO family, PIMS implementation and audit should be less expensive and easier to achieve for ISO-savvy organizations of any size, in any industry.
ISO/IEC 27701 addresses many issues related to GDPR and could be used as the basis of a certification mechanism as stipulated by Article 42 of GDPR. ISO/IEC 27701’s set of controls includes technical measures for implementing information security to also address privacy requirements. Demonstrating compliance with ISO/IEC 27701 controls and generating the required documentation as evidence of how an organization handles personal identifying information can:
- increase trust between organizations and data partners.
- significantly reduce compliance workloads by negating the need to support multiple certifications.
- generate assuring evidence that Data Protection Officers can provide to senior management and board members to show privacy regulatory compliance.
- increase the opportunities for business and commerce through the EU Digital Single Market and cross-border data flows.
Privacy Information Management System (PIMS) Basics
The standard aims to help organizations enhance an existing ISMS with additional requirements to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS). The standard outlines two key elements: Personally Identifiable Information (PII) Controllers and PII Processors, which, taken together, manage privacy controls to reduce the risk to the privacy rights of individuals.
PII Controllers collect personal information and determine the purposes for which it is processed. More than one organization can act as a PII controller, often known as co-controllers. Typically, this is where data-sharing agreements may be necessary. PII Processors process personal information on behalf of and according to the instruction of the PII Controller.
ISO 27701 Consultants Advantage
ISO/IEC 27701 is intended to be a certifiable extension to ISO/IEC 27001 certifications. In other words, organizations planning to seek an ISO/IEC 27701 certification will also need to have an ISO/IEC 27001 certification. To best understand the current state and support ISO/IEC 27001 and the ISO/IEC 27701 implementation, compliance and certification, organizations turn to the Alchemi Advisory Group, given its expertise and experience in ISO standards and their importance to business efficiency and improvement. Alchemi Advisory Group experts track standards-world developments and apply that knowledge to enterprise-wide operations as well as project-specific and process-specific improvement.