ISO 27701 - The Data Privacy Standard
ISO 27001:2013 does include security requirements which can be implemented to protect data but there was a distinct gap between this standard and compliance with GDPR. Some organizations included (and continue to include) GDPR and other state-specific privacy legislations as something important to the standard and it is typically held on the legislative register.
However, this is not enough; simply, the effectiveness of an Information Security Management System is limited in ensuring compliance with GDPR and other data privacy regulations. ISO/IEC identified this and composed a new standard in 2019 which builds on implemented ISMS to enhance existing clauses and controls and bridge the gap between the ISMS and data-privacy compliance.
ISO 27701:2019 is this new standard. Watch this video on demand below which brings some of the rationale to life and provide a first look at how to implement this standard.
What is Personal Data?Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors such as personal information (i.e address, phone number or picture).
Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual. When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.
Examples of Personal Data include:
Name and surname
Email address such as email@example.com
Identification card number
Location data (for example the location data function on a mobile phone)
Internet Protocol (IP) address
Hospital / patient data
For other organizations whose primary function can be the collection or hosting of vast quantities of data considered to be Personally Identifiable Information (PII), then ensuring compliance with their legislative requirements for Data Privacy is hugely important to their reputation.
BreachedSince the arrival of GDPR a number of high-profile organizations have fallen foul of the legislation, and this has led to fines which now run in to Billions of Euros. This not only included EU-based organizations, but entities with trading concerns within the EU which are based outside of the EU.
The reach of the regulation goes far beyond the borders of the EU. Some high profile examples of data breach:
- Marriot Hotels: Criminal Activity targeted the chains reservations system giving access to names and payment details. 383 million records breached. GDPR fine totalling approx. £100 million.
- Google: Failure to respond to customer requests with regards to processing of PII. Other offenses recorded including not having a legal basis to target advertise based on user profiles. £44 million fine.
Advantage of PIMSClearly, the “stick” is evident and damaging to an organization; but what about the carrot? The benefits associated with implementing a Privacy Information Management are significant. Furthermore, if an organization already has a functioning ISMS then implementing the PIMS is a relatively straight forward process as the PIMS relies on the Annex A controls that would have been slected when implementing the ISMS.
The benefits of the implementation of an ISMS are well documented. Here I have outlined some of the wider implications for an organization for the implementation of the PIMS technical extension.
ISO 27001:2013 provides a framework by which an organization can identify the information security legislation applicable to its activities, products, services and identified risks. Such a framework extends to provide the means to comply with the regulatory requirements identified.
ISO 27701:2019 is able to give greater clarity and assurance to the compliance of legislative and regulatory requirements due to the specific focus on subject areas.
Information security risks and issues identified in ISO 27001 and ISO 27701 provides the means by which an organization can communicate and consult upon its information security risks. The output of which may:
Significantly reduce compliance workloads by negating the need to support multiple certifications
Increase trust between organizations and customers by demonstrating compliance with data privacy laws
Generate evidence that Data Protection Officers can provide to senior management and board members to show their progress in privacy regulatory compliance
Increase the opportunities for business and commerce through crossborder data flows
By implementing information security improvement strategies and through the effective implementation of a documented information security management system, significant financial savings can be realised, not forgetting the effect that incident reduction can have upon the morale of employees, client and other key stakeholders.
As information security incidents and their associated risks are eliminated or controlled liabilities are reduced, offering greater stability to the business.
Finally, one thing which cannot be ignored is the reputational boon which will come with certification to ISO 27701. Showing your partners, clients, competitors and prospects that you are committed to and can demonstrate compliance with data privacy requirements cannot be understated.
In the information age – showing that you are committed to data privacy should part of the fabric of every enterprise and business. Where the processing of information forms a significant procedural consideration; having the confidence that you are compliant with regulation is a must. The consequences of non-compliance can be severe.
If you are interested in learning more about ISO 27701 or Informational Security Management in general, NQA offer training on the subject here.
Reviewed by: Tim Pinnell, NQA Information Security Assurance Manager