Privacy Information Management System
The International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC) developed ISO 27701. To provide the necessary guidance for businesses to effectively address data privacy and ensure the gap between existing management systems requirements and global privacy data legislation is effectively bridged.
What is ISO 27701, and Why is it Needed?
In common with many privacy legislations worldwide, there needs to be more guidance on implementing processes to comply with GDPR. ISO 27701:2019 is a privacy extension to the international information security management standard, ISO 27001 (ISO 27701 Security techniques – Extension to ISO 27001 and ISO 27002 for privacy information management – Requirements and guidelines).
ISO 27701 details the requirements and guides for establishing, implementing, maintaining, and improving a Privacy Information Management System (PIMS). The standard is based on the needs, control objectives, and controls of the ISO 27001 standard and includes a suite of privacy requirements, rules and control objectives.
Information security concepts are familiar to organizations with an operational Information Security Management System (ISMS). The new PIMS will ensure that organizations have comprehensive and universally applicable data governance which directly maps to their jurisdictions’ legislative requirements.
The standard was drafted with input from experts and data protection authorities worldwide, including the European Data Protection Board. Data protection legislation from all continents was taken into account. It is close to GDPR, and each clause maps to corresponding GDPR articles.
But ISO 27701 is not GDPR specific; it is a global standard. And it represents state-of-the-art in terms of privacy protection. Therefore, organizations implementing it will demonstrate a proactive approach to personal data protection.
GDPR – AN OVERVIEW OF LEGISLATION
The GDPR was adopted by the EU in April 2016 and replaced the EU Data Protection Directive 95/46/EC. This new legislation has initiated obligations to any organization with data processing responsibilities and applies to organizations outside of the EU too. It has harmonized privacy legislation across the EEA.
The requirements of the GDPR also bind any non-EU entity offering goods or services to individuals in the EU. Businesses and organizations with sizeable personal data processing requirements are uniquely affected, and ensuring conformity to the legislation is paramount.
Organizations must have a lawful basis for processing personal data and only process it for a specified purpose. Individuals have the right to request a copy of all data held on them, including an explanation of how such data is used and if third parties have access.
Individuals may request for their data profile to be passed to another data processor; furthermore, they also have the right to withdraw consent for processing and request for data that is no longer required to be erased.
Organizations and individuals who process personal data must have appropriate security controls to ensure the confidentiality of the data they hold or process. Personal data can be transferred outside the EU, but only to countries with adequate legislation for preserving the rights of EU data subjects.
Notifications of data breaches must be submitted to the supervisory authority; for the UK, this is the Information Commissioners Office (ICO), within 72 hours of recognizing a breach being identified. The ICO is the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
What is ISO 27701, and Why is it Needed?
In common with many privacy legislations around the world, there needs to be more guidance on implementing processes to comply with GDPR. ISO 27701:2019 is a privacy extension to the international information security management standard, ISO 27001 (ISO 27701 Security techniques – Extension to ISO 27001 and ISO 27002 for privacy information management – Requirements and guidelines).
ISO 27701 details the requirements and guides for establishing, implementing, maintaining, and improving a Privacy Information Management System (PIMS). The standard is based on the needs, control objectives, and controls of the ISO 27001 standard and includes a suite of privacy requirements, rules and control objectives.
Information security concepts are familiar to organizations with an operational Information Security Management System (ISMS). The new PIMS will ensure that organizations have comprehensive and universally applicable data governance which directly maps to their jurisdictions’ legislative requirements.
The standard was drafted with input from experts and data protection authorities worldwide, including the European Data Protection Board. Data protection legislation from all continents was taken into account. It is close to GDPR, and each clause maps to corresponding GDPR articles.
But ISO 27701 is not GDPR specific; it is a global standard. And it represents state-of-the-art in terms of privacy protection. Organizations implementing it will demonstrate a proactive approach to personal data protection.
ISO 27701 Certification – Benefits
- Flexible enough to accommodate jurisdictional specifics
- Supports compliance with other privacy regulations
- Integrates with the leading information security standards
- Demonstrate next-level data protection with ISO 27701
- Builds trust
- Circumvents Privacy Audits
- Win more business
- Improves Public Perception
Links
