ISO 27701 is the standard in data privacy management. Its controls will be very familiar to those who have adopted ISO 27001, the international standard for information security, as it essentially bolts privacy processing controls onto the existing framework.
Let’s take a look at how ISO 27701 helps organisations create a PIMS (privacy information management system) and meet best practices outlined in regulations such as the GDPR (General Data Protection Regulation).
ISO 27701 and ISO 27001: privacy vs security
Despite how neatly ISO 27701 ties into ISO 27001, they cover different topics. The former addresses organisations’ privacy controls, whereas ISO 27001 addresses information security.
To put it another way:
- ISO 27001 relates to the way an organisation keeps data accurate, available and accessible only to approved employees.
- ISO 27701 relates to the way an organisation collects personal data and prevents unauthorised use or disclosure.
For example, if an organisation collects excessive amounts of information on an individual, that’s a privacy violation. The same is true if an unauthorised employee or cyber criminal gets hold of the data.
When building an information security framework, organisations must take a few extra steps to ensure that privacy concerns are accounted for.
ISO 27701’s approach recognises this by expanding on the clauses of ISO 27001 and controls in Annex A that relate specifically to data privacy, as well as providing two additional sets of controls specific to data controllers and data processors.
It also builds on the principle of information security by directing the reader to the more expansive privacy principles in ISO 29100., the international standard that provides a privacy framework for personal data held in IT systems.
These cover a wider range of privacy concerns, including those discussed in data protection regulations internationally.
ISO 27701 and the GDPR
Although it has ‘data protection’ in its name, the GDPR is equally concerned about data privacy.
However, as you will have already learned during your GDPR compliance programme, it doesn’t include guidance on how to meet its requirements.
This is to prevent the GDPR from becoming outdated as best practices evolve and new technologies become available.
That’s all well and good for the long term, but what are organisations supposed to do right now?
ISO 27701 answers that question, explaining how to ensure data privacy is addressed adequately.
Controllers and processors
If you’re familiar with the GDPR, you’ll be aware of the concepts of ‘controllers’ and ‘processors’. Broadly speaking, the controller is the organisation that determines what information will be processed and why, and the processor is the one that does the actual processing.
For example, say an organisation outsources its payroll responsibilities to a third party. The organisation is the controller, outlining who is on the payroll, what their wages are and when payments should be made.
The third party acts as the processor, providing the IT system where employees’ data is kept.
This distinction is important when it comes to ISO 27701, because controllers and processors are subject to different requirements.
Controllers are responsible for:
- Creating privacy notices;
- Implementing mechanisms to ensure that individuals can exercise their data subject rights; and
- Adopting measures to ensure the data processing meets the GDPR’s principle of privacy by design and by default.
Meanwhile, processors are responsible for:
- Meeting the instructions set by the controller, therefore mitigating the risk that data is processed excessively or without a lawful basis;
- Providing whatever information is necessary to help the controller complete a DSAR (data subject access request); and
- Informing data subjects in advance if personal data is being transferred between jurisdictions.
Want to know more?
ISO/IEC 27701:2019: An introduction to privacy information management offers a concise introduction to the Standard, helping you create or improve your PIMS.
You can use this guide – written by Alan Shipman, the managing director of Group 5 Training Limited, and Steve Watkins, an executive director at GRC International Group – to get to grips with the essentials of privacy management and understand:
- How to manage privacy information successfully using an ISO 27701-aligned PIMS;
- Key areas of investment for a business-focused PIMS; and
- How your organisation can demonstrate the degree of assurance it offers regarding privacy information management.