Protecting the Digital Privacy with PIMS (ISO 27701)

Cybersecurity is a growing concern in this connected digital world and there is an increasingly significant threat to protecting the digital privacy. Governments all over the world are introducing various privacy regulations, such as, GDPR, California Consumer Privacy Act (CCPA), etc.

ISO 27701?is a privacy extension to the international information security management standard ISO 27001. This standard specifies the requirements for – and provides guidance for establishing, implementing, maintaining and continually improving a privacy information management system.

Every organization processes?Personally Identifiable Information (PII). The quantity, types of PII and situations in which organizations handling PII are increasing. Protection of privacy and Protection of PII is a social need?and should be a legal need also. There are two entities, who handle or process the PII, Controllers and Processors.?

PII Controllers

• The?data controller?determines the?purposes?for which and the?means?by which personal data is processed. So, if your company/organization decides ‘why’ and ‘how’ the personal data should be processed, it is the data controller.
• Your company/organization is a?joint controller?when together with one or more organizations, it jointly determines ‘why’ and ‘how’ personal data should be processed.
• Joint controllers must enter into an arrangement setting out their respective responsibilities for complying with the Data Protection rules.
• The main aspects of the arrangement must be communicated to the individuals whose data is being processed.
• The concept of controller is also an essential element in determining which national law is applicable to a processing operation or set of processing operations.

PII Processors

• The?data processor?processes personal data only?on behalf?of the controller.
• The data processor is usually a third party, external to the company. However, in the case of groups of undertakings, one undertaking may act as processor for another undertaking.
• The duties of the processor towards the controller must be specified in a contract or another legal act. For example, the contract must indicate what happens to the personal data once the contract is terminated.
• A typical activity of processors is offering IT solutions, including cloud storage. The data processor may only sub-contract a part of its task to another processor or appoint a joint processor when it has received prior written authorization from the data controller.
• The concept of ‘processor’ plays an important role in the context of confidentiality and security of processing, as it serves to identify the responsibilities of those who are more closely involved in the processing of personal data, either under direct authority of the controller or elsewhere on his behalf.

To effectively use PIMS, it’s very important to understand and identify who are controllers and who are processors. Accordingly, appropriate PIMS clauses can be applied.

Why PIMS?

• To?manage?their?personal?data in secure, local or online storage?systems?and share them when and with whom they choose.
• To give individuals more control over their?personal?data.
• It’ll help you avoid the negative outcomes of PII breaches like financial penalties, brand and reputational damage, etc.
• To provide transparency between stakeholders.
• Easily implementable as it's an extension of existing ISO 27001

With the publication of the?General Data Protection Regulation?(GDPR) in 2016, we have seen an increased focus on the definition, maintenance and accountability of security measures for?personal data. GDPR provides the possibility to certify your Privacy Program against a DPA approved certification scheme; and it is anticipated that ISO 27701 will also be recognized in the near future.

With the large adoption of the ISO 27001 standard, the new PIMS standard will become the preferred choice amongst service providers in a very short time.?