Home Resources Blog January 2020

ISO 27701 - The New Data Privacy Standard

24 January 2020
In 2018, GDPR was implemented across the EU and affected the data privacy considerations that organizations must afford their customers, employees, partners and prospective clients...
Since this hugely significant legislative roll out, there has been no real guidance on how an organization can remain compliant with the requirements of GDPR within their existing management systems. 

ISO 27001:2013 does include security requirements which can be implemented to protect data but there was a distinct gap between this standard and compliance with GDPR. Some organizations included (and continue to include) GDPR and other state-specific privacy legislations as something important to the standard and it is typically held on the legislative register.

However, this is not enough; simply, the effectiveness of an Information Security Management System is limited in ensuring compliance with GDPR and other data privacy regulations. ISO/IEC identified this and composed a new standard which builds on implemented ISMS to enhance existing clauses and controls and bridge the gap between the ISMS and data-privacy compliance.

ISO 27701:2019 is this new standard. NQA have recently provided a webinar which brings some of the rationale to life and provide a first look at how to implement this standard.

What is Personal Data?

Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number or could include other identifiers such as an IP address or a cookie identifier, or other factors such as personal information (i.e address, phone number or picture).

Even if an individual is identified or identifiable, directly or indirectly, from the data you are processing, it is not personal data unless it ‘relates to’ the individual. When considering whether information ‘relates to’ an individual, you need to take into account a range of factors, including the content of the information, the purpose or purposes for which you are processing it and the likely impact or effect of that processing on the individual.

Examples of Personal Data include:
  • Name and surname
  • Home address
  • Email address such as name.surname@company.com
  • Identification card number
  • Location data (for example the location data function on a mobile phone)
  • Internet Protocol (IP) address
  • Cookie ID
  • Hospital / patient data
All organizations will either process, collect, control, distribute or host some of the above data. For example, most will hold information about their employees, partners and customers.

For other organizations whose primary function can be the collection or hosting of vast quantities of data considered to be Personally Identifiable Information (PII), then ensuring compliance with their legislative requirements for Data Privacy is hugely important to their reputation. 

Breached

Since the arrival of GDPR a number of high-profile organizations have fallen foul of the legislation, and this has led to fines which now run in to Billions of Euros. This not only included EU-based organizations, but entities with trading concerns within the EU which are based outside of the EU.

The reach of the regulation goes far beyond the borders of the EU. Some high profile examples of data breach:
  • Marriot Hotels: Criminal Activity targeted the chains reservations system giving access to names and payment details. 383 million records breached. GDPR fine totalling approx. £100 million.
  • Google: Failure to respond to customer requests with regards to processing of PII. Other offenses recorded including not having a legal basis to target advertise based on user profiles. £44 million fine.
Breaches of data can draw large fines and reputational damage; clearly an understanding of how to correctly handle PII is of paramount importance to an organization, regardless of size.

Advantage of PIMS

Clearly, the “stick” is evident and damaging to an organization; but what about the carrot? The benefits associated with implementing a Privacy Information Management are significant. Furthermore, if an organization already has a functioning ISMS then implementing the PIMS is a relatively straight forward process as the PIMS relies on the Annex A controls that would have been slected when implementing the ISMS.

The benefits of the implementation of an ISMS are well documented. Here I have outlined some of the wider implications for an organization for the implementation of the PIMS technical extension.
 
ISO 27001:2013 provides a framework by which an organization can identify the information security legislation applicable to its activities, products, services and identified risks. Such a framework extends to provide the means to comply with the regulatory requirements identified.

ISO 27701:2019 is able to give greater clarity and assurance to the compliance of legislative and regulatory requirements due to the specific focus on subject areas.

Information security risks and issues identified in ISO 27001 and ISO 27701 provides the means by which an organization can communicate and consult upon its information security risks. The output of which may:
  • Significantly reduce compliance workloads by negating the need to support multiple certifications
  • Increase trust between organizations and customers by demonstrating compliance with data privacy laws
  • Generate evidence that Data Protection Officers can provide to senior management and board members to show their progress in privacy regulatory compliance
  • Increase the opportunities for business and commerce through crossborder data flows
Training needs are identified and realized for information security, and the adequacy of subsequent training assessed through measures of competency.

By implementing information security improvement strategies and through the effective implementation of a documented information security management system, significant financial savings can be realized, not forgetting the effect that incident reduction can have upon the morale of employees, client and other key stakeholders.

As information security incidents and their associated risks are eliminated or controlled liabilities are reduced, offering greater stability to the business.

Finally, one thing which cannot be ignored is the reputational boon which will come with certification to ISO 27701. Showing your partners, clients, competitors and prospects that you are committed to and can demonstrate compliance with data privacy requirements cannot be understated.

In the information age – showing that you are committed to data privacy should part of the fabric of every enterprise and business. Where the processing of information forms a significant procedural consideration; having the confidence that you are compliant with regulation is a must. The consequences of non-compliance can be severe.

Ensure your organization is GDPR compliant — request a free quote from NQA to get started with your certification.

If you are interested in learning more about ISO 27701 or Informational Security Management in general, NQA offer training on the subject here.