There’s a new standard for data privacy: ISO 27701. Released earlier this year as an extension to the ISO 27000 series, it provides essential guidance to help organisations protect sensitive information and meet data subject rights.
ISO 27701 fills a gap left by the GDPR (General Data Protection Regulation), which contains strict rules about privacy management but doesn’t advise organisations on how to meet them.
This is understandable, because the Regulation can’t commit to best practices that might change as new technologies and privacy concerns emerge.
The same problem exists with the GDPR’s requirements for information security. Just as many organisations solved that problem by turning to ISO 27001, ISO 27701 can help them meet their privacy requirements.
What is the relationship between ISO 27701 and ISO 27001?
ISO 27001 essentially bolts privacy processing controls onto ISO 27001. Organisations that have already implemented ISO 27001 will only have a few extra tasks to complete, like a second risk assessment to account for the new controls.
If you’re new to ISO 27001, you can think of ISO 27701 as another set of requirements, alongside the likes of ISO 27005, which contains the requirements for creating a risk management system, and ISO 27017, which governs the way you store information in the Cloud.
Privacy information management system
At the heart of ISO 27701 is a PIMS (privacy information management system), which is a central framework that helps organisations keep track of their privacy practices.
A PIMS is closely related to an ISMS (information security management system), but it covers distinct areas of the organisation.
- An ISMS helps organisations keep data accurate, available and accessible only to approved employees.
- A PIMS manages the way organisations collect personal data and helps them prevent unauthorised use or disclosure of sensitive information.
The GDPR’s requirements cover both issues, as they each fall under the wider remit of data protection.
For example, there isn’t a huge difference between an organisation selling data subjects’ information to another organisation without their consent and a cyber attacker stealing the information from its database.
There’s clearly a lower chance of catastrophic damage when an organisation shares personal data, but there are nonetheless significant, insidious effects – the most obvious of which being that data subjects no longer have control of who can access their information or what they do with it.
Given the vast amounts of data that organisations collect and the complex ways they use it, you can’t fix this issue by simply deciding not to sell data subjects’ information to third parties. You instead need a comprehensive approach to privacy that only a PIMS can provide.
Controllers and processors
If you’re familiar with the GDPR, you’ll be aware of the concepts of ‘controllers’ and ‘processors’. Broadly speaking, the controller is the organisation that determines what information will be processed and why, and the processor is the one that does the actual processing.
For example, say an organisation outsources its payroll responsibilities to a third party. The organisation is the controller, outlining who is on the payroll, what their wages are and when payments should be made.
The third party acts as the processor, providing the IT system where employees’ data is kept.
This distinction is important when it comes to ISO 27701, because controllers and processors are subject to different requirements.
Controllers are responsible for:
- Creating privacy notices;
- Implementing mechanisms to ensure that individuals can exercise their data subject rights; and
- Adopting measures to ensure the data processing meets the GDPR’s principle of privacy by design and by default.
Meanwhile, processors are responsible for:
- Meeting the instructions set by the controller, therefore mitigating the risk that data is processed excessively or without a lawful basis;
- Providing whatever information is necessary to help the controller complete a DSAR (data subject access request); and
- Informing data subjects in advance if personal data is being transferred between jurisdictions.
Become a privacy expert with IT Governance
Are you interested in managing your organisation’s privacy requirements? Our Certified ISO 27701 PIMS Lead Implementer Live Online Training Course teaches you everything you need to plan, implement, maintain and continually improve a best–practice PIMS.
Over two days, you’ll learn the technical details and practical skills needed to meet the privacy requirements of the GDPR and ISO 27001.