There’s a new standard for data privacy – ISO 27701. It’s the first document in the ISO 27000 series dedicated to privacy, explaining how organisations can create a PIMS (privacy information management systems) and meet best practices outlined in regulations such as the GDPR (General Data Protection Regulation).
Its controls will be very familiar to those who have adopted ISO 27001, the international standard for information security, as it essentially bolts privacy processing controls onto the existing framework.
ISO 27701 and ISO 27001: Privacy vs security
Despite how neatly ISO 27701 ties into ISO 27001, they cover different topics. The former addresses organisations’ privacy controls, whereas ISO 27001 addresses information security.
To put it another way:
- Information security relates to the way an organisation keeps data accurate, available and accessible only to approved employees.
- Data privacy relates to the way an organisation collects personal data and prevents unauthorised use or disclosure.
For example, if an organisation collects excessive amounts of information on an individual, that’s a privacy violation. The same is true if an unauthorised employee or cyber criminal got hold of the data.
When building an information security framework, organisations must take a few extra steps to ensure that privacy concerns are also accounted for.
ISO 27701’s approach recognises that by expanding on the clauses of ISO 27001 and controls in Annex A that relate specifically to data privacy, as well as providing two additional sets of controls specific to data controllers and data processors.
It also builds on the principle of information security by directing the reader to the more expansive privacy principles in ISO 29100. These cover a wider range of privacy concerns, including those discussed in data protection regulations internationally.
ISO 27701 and the GDPR
Although it has ‘data protection’ in its name, the GDPR is equally concerned about data privacy.
However, as you will have already learned when implementing the Regulation’s requirements, it doesn’t include guidance on how to meet its requirements. This is to prevent the GDPR from becoming outdated as best practices evolve and new technologies become available.
That’s all when and good for the long-term, but what are organisations supposed to do right now?
ISO 27701 answers that question, explaining how to ensure data privacy is addressed adequately.
Get your copy of ISO 27701
Find out what ISO 27701 contains by picking up your copy of the Standard today.
You’ll discover exactly how it relates to ISO 27001 and what you must do to achieve compliance.
There’s no need to be concerned about the complexity of the document, as it provides instructions on how to implement its requirements.