What, When, Why, Where, and How of Privacy Info Mgmt Syst.

What is ISO 27701?

ISO 27701 was released in August of 2019, seeks to provide a truly international approach to privacy protection as a component of information security.

ISO 27701 is a framework for data privacy that builds on ISO 27001. This latest privacy best practice guides organisations on policies and procedures that should be in place to comply with GDPR and other data protection/privacy regulations and laws.

(ISO 27701 – The Standard for Privacy Information Management

ISO 27001, ISO 27002 (PIMS) extension for compliance with privacy laws & regulations)

The ISO 27701 standard, a PIMS (Privacy Information Management System) standard, lays out a detailed set of operational checklists that can be adapted to a variety of regulations, including GDPR. Companies document their policies, procedures, protocols and activities in line with the standard’s operational checklists, with records then audited by internal and third-party auditors, resulting in detailed proof of compliance with the standard. ISO 27701 helps companies to maintain an effective privacy and information security system and reduce privacy risks.

ISO 27701 is an impressive way of demonstrating to consumers, external organisations and internal stakeholders, that mechanisms are in place to keep data safe and to comply with GDPR and other privacy laws.?

ISO 27701 is an extension of ISO 27001 which means that organisations intending to implement ISO 27701 certification must have ISO 27001, or complete both standards simultaneously.

Why was ISO 27701 developed?

ISO 27701 was developed to provide a standard for data privacy controls, which, when coupled with an ISMS, allows an organisation to demonstrate effective privacy data management.

ISO 27701 establishes the parameters for a PIMS in terms of privacy protection and processing personally identifiable information (PII).

The Benefits of ISO 27701

The data protection standard

The Data Protection Act (DPA) came into law to regulate how personal or consumer data is used by companies and government agencies in the UK. It safeguards individuals and establishes guidelines for the use of personal data.

The General Data Protection Regulation (GDPR) seeks to establish a common set of data protection laws for all EU member states. Even if they are not in the country where their data is stored, GDPR makes it easier for EU citizens to understand how their data is being used and to file any complaints, should they have a problem with how their information is used. The ISO 27701 Standard provides the framework for assisting, guiding, and demonstrating compliance with the DPA, GDPR and similar laws and regulations.

What’s personally identifiable information?

Personally identifiable information is the data that can be used to specifically identify a person. By itself, the information may not necessarily be sensitive but, when taken in context, this data can lead to a variety of conclusions about an individual or company.

Personally identifiable information includes an individual’s name, address, birthday, national insurance number, phone number, email address, and so on. PII may also include electronic identifiers, like IP addresses, geo location tags and ID numbers.

What is privacy information management?

Privacy information management covers the methods an organisation has for collecting, processing, storing, and destroying personally identifiable information, also known as PII.

Putting in place a privacy information management system ensures that organisations comply with regulations like GDPR. The penalty for breaching data protection legislation in the UK and EU can be serious. For example, the maximum fine is about €17 million or 4% of total worldwide turnover (whichever is higher).

What are the building blocks of the standard?

ISO 27701 is an extension of ISO/IEC 27001, which is one of the most widely used international standards for information security management. If your organisation is already acquainted with ISO/IEC 27001, integrating the new privacy controls of PIMS may be relatively straightforward. ISO 27701 is also based on other standards, like ISO 27002 and ISO 29100.?ISO 27701 adds a data privacy layer to previous information security standards. If you are ticking the boxes for other standards you may be ticking some of the boxes for ISO 27701 already.

Important points to remember about ISO 27001 and PIMS:

PIMS provides new controller- and processor-specific controls that help organisations overcome the challenges of privacy and security by establishing a point of convergence between what could be two different functions.

Security is important for privacy. ISO 22701 PIMS relies on ISO 27001 for security management. IS0 27701 certification is only available as an add-on to ISO 27001 certification and cannot be obtained as a standalone certificate.