The Birth of ISO 27701:2019
How many times a day do each of us reach for our mobile devices to check out social media, connect with friends on various platforms, read the news, or shop on-line? Probably more than we would like to admit, and the one thing that all these activities have in common is ourselves.
Every time we connect to the world, we leave behind a footprint of who we are, where we might be, what we like to see or visit, interests, personal, medical, and financial information, the list goes on…
Our growing appetite for ease, speed and reach of digital connection is breathtaking, so much so that prior to regulations such as General Data Protection Regulation (GDPR), and now Californian Consumer Privacy Act (CCPA), there has been little control over managing the security of our personal data was in place, our socks and shoes exposed to the world, easy to take for those inclined and take they did.
In 2013, one of the largest incidents relating to the compromise of privacy data occurred. Yahoo discovered they had been hacked, to the tune of 3 billion records, embarrassingly a hack occurred again at Yahoo in 2014, this time compromising 500 million accounts. In 2016, Friend Finder Networks experienced a breach relating to 412 million records, root case – poor security, resulting in a very happy hacker and many upset users.
In response to wide scale hacks, GDPR was born in the EU in 2016, giving a voice of privacy expectations to a global stage for the management of securing privacy information and giving power back to individuals so we can make informed choices with data sharing, tracking, storage, and use.
In a survey carried out by SaS in 2018, over half of U.S. consumers (67%) are ready for stricter data privacy regulations such as GDPR. US consumers have strongly indicated concerns over personal data privacy, with more than a third of respondents reported cutting back their use of social media, taken steps to secure their data (such as changing privacy settings), changing or not accepting cookies, declining terms of agreement, deleting a mobile app, or removing a social media account.
What does the rise of privacy regulations mean for us, what are the benefits and indeed dis-benefits that we need to know about?
GDPR is the core Europe’s digital privacy legislation and has become the benchmark for the rest of the world to compare privacy arrangements against. Designed to give EU citizens control over their personal data, such as access to data held about the individual (Subject Access Requests), giving and removal of consent, maintaining accuracy of records, disclosure of information and understanding legitimate business purposes for processing of personal data. Failure to adhere to GDPR may result in notices and penalties from judiciary bodies within the EU.
As GDPR obligations for ensuring the protection of personal data applied to any organization operating in the EU, and also to any company gathering personal data of an EU citizen, it’s no wonder that a resulting factor is the review, and progression of privacy legislative and regulatory requirements around the world.
CCPA, taken affect January 1, 2020, addresses similar privacy obligations to the US, including disclosure of information, subject access requests and consent. No to be mistaken as a like for like for GDPR, CCPA is focused solely on California residents, and excludes categories of data such as medical, clinical, and public information. GDPR applies to the processing of all personal data, regardless of the type of data. A number of other states (New York, Nevada and Washington State) are quickly catching up to CCPA and have recently achieved implementation or are on the verge of acceptance.
As companies update and overhaul internal procedures to meet legislative obligations, at what cost does privacy actual mean to the business and its operations? Each industry is affected differently, with the collection of individual data central for many companies to provide products and services.
Significant areas of change faces Healthcare, Banking, E-Commerce, Retail, Hospitality and Insurance industries, as all now are required to consider the type of data required for provision of goods and service, how changes or access requests are facilitated, defined marketing consent arrangements, appropriate data collection and use (based on a core ‘need’ for data, not ‘nice to have’ data), data retention and risk management for data environment security, data flows and worker understanding of the daily management of personal data.
Possibility the greatest impact of the introduction of privacy regulations, is the introduction of consent for use of personal data, particularly in a marketing context. Whilst this empowers us by ensuring we only receive the information we want to see, no longer can a business freely send numerous marketing messages, or in certain territories, sell our personal data to 3rd parties without our explicit consent.
But will these changes have any affect to our perception of data? By large, the introduction of GDPR and CCPA have paved the way to stimulate the conversion of privacy, given a pause to our desire to connect via our super speed broadband, take stock and re-consider what data we are sharing, and if we are consenting for a purpose we have chosen by informed decision, not by default.
Businesses are challenged to protect our information in a dynamic, continually evolving environment, but without these challenges, how many companies would be consistent in the application to be better prepared and help protect us from dangers such as hacks, unintended changes, fraud and personal data compromise.
The birth of International Standard – ISO 27701 Privacy Information Management System (PIMS) in 2019 supports organizations to understand and identify their security efforts to cover privacy management, including processing of personal data, demonstrating that reasonable measures have been taken to comply with data protection laws such as the GDPR and CCPA.
Able to be implemented in conjunction with ISO 27001, the standard is applicable to all types and sizes of organizations (including public and private companies, government entities and not-for-profit organizations) who has an interest in collecting and/or processing personal information.
As painful as change can be, I for one welcome the chance to sleep easy at night, knowing that companies are taking action to protect my data footprint in the sand.
Authored by: Karen Womack MBA, Assist Services Limited
Privacy Forum: https://fpf.org
SaS survey: https://www.sas.com/en/whitepapers/data-privacy-110027.html#formsuccess