ISO 27701: ISO Meets the GDPR
What is ISO 27701?
The ISO/IEC 27701:2019 standard was published on August 6, 2019, and provides the requirements and guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013. This extension replaces the development standard ISO 27552.
This extension will be most relevant for personally identifiable information (PII) controllers and processors but can be used by organizations of any kind, size, and location. ISO 27701 allows these organizations to improve their PIMS by enhancing their Information Security Management System (ISMS). Since ISO 27701 is an extension of the ISO 27001 standard, there will not be a stand-alone certification for ISO 27701.
As privacy concerns and requirements continue to increase globally, the addition of ISO 27701 to ISO 27001 certifications will become increasingly important to organizations.
ISO 27701 Standard Structure:
- Clauses 5 and 6: Provide additional specific guidelines related to privacy for ISO 27001 and ISO 27002
- Clause 7: Provides 31 controls that will be relevant to PII controllers and includes the following controls objectives:
- 7.2 Conditions for collection and processing: To determine and document the processing is lawful, with legal basis as per applicable jurisdictions, and with clearly defined and legitimate purposes
- 7.3 Obligations to PII Principles: To ensure that PII principles are provided with appropriate information about the processing of their PII and to meet any other applicable obligations to PII principles related to the processing of their PII
- 7.4 Privacy by design and privacy by default: To ensure that processes and systems are designed such that the collection and processing (including use, disclosure, retention, transmission and disposal) are limited to what is necessary for the identified purpose
- 7.5 PII sharing, transfer, and disclosure: To determine whether and document when PII is shared, transferred to other jurisdictions or third parties and/or disclosed in accordance with applicable obligations
- Clause 8: Provides 18 controls that will be relevant to PII processors and includes the following control objectives:
- 8.2 Conditions for collection and processing: To determine and document that processing is lawful, with legal bases as per applicable jurisdictions, and with clearly defined and legitimate purposes
- 8.3 Obligations to PII principals: To ensure that PII principals are provided with the appropriate information about the processing of their PII, and to meet any other applicable obligations to PII principals related to the processing of their PII
- 8.4 Privacy by design and privacy by default: To ensure that processes and systems are designed such that the collection and processing of PII (including use, disclosure, retention, transmission and disposal) are limited to what is necessary for the identified purpose
- 8.5 PII sharing, transfer, and disclosure: To determine whether and document when PII is shared, transferred to other jurisdictions or third parties and/or disclosed in accordance with applicable obligations
- Annex A & Annex B: PIMS specific control objectives and controls for PII controllers and PII processors respectively
- Annex F: Informal guidance on practical applications of ISO 27701
Impact of ISO 27701:
A primary operational impact of ISO 27701 is the inclusion of privacy concepts and, in particular, the incorporation of many articles from the General Data Protection Regulation (GDPR) into the ISO framework. Similar to the focus of the GDPR on the controller and processors processing of personal data, ISO 27701 places the responsibility of compliance on the PII controllers (the person or agency who determines the purposes and means of the processing of personal data) and the PII processors (the person or agency who processes personal data on behalf of the controller).
Requirements applicable to and impacting both PII controllers and processors:
- Security: Physical, operational and administrative controls are required to protect PII.
- Confidentiality and Integrity: A confidentiality agreement must be executed by any individuals authorized to access PII and the integrity of the PII data must be maintained.
- Risk Assessments: To identify risks associated with new processing of PII or changes to the existing processing of PII, a privacy impact assessment must be conducted.
- Roles and Responsibilities: An individual should be appointed to develop, implement, monitor, and maintain the organization’s governance and privacy program.
- Training: Any personnel that will have access to PII will be required to complete privacy awareness training.
- Incident Management: Policies and procedures need to be established and adopted to respond to and document any incidents, including but not limited to data breaches.
- Records of Processing: Processing activities involving PII, including transfers and disclosures, must be documented and maintained by organizations.
- Transmission of PII Data: Controls must be implemented to govern the transmission of PII data.
- PII Principal Rights: Mechanisms must be in place to accommodate individuals’ right to access, correct, erase, or object to and restrict the processing of their PII, among others.
- Processor Contract Requirements: Written contracts must be in place with their processors that address specific items, such as protecting PII, limiting processing to the specific purpose for which the PII was collected, and providing notification for breaches of PII.
- Data Minimization and Purpose Limitation: Limitations shall be placed on the PII collected to only include that which is relevant, proportional and necessary to the identified purpose, and limits the processing of PII to the purpose identified.
- Processing Limitation: Processing of PII can only occur on the documented instructions of the controller or processor (depending on the role of the customer).
- Engagement of Subcontractors: In order to use a subcontractor to process PII, a written contract is required with the subcontractor authorizing the processing of PII and ensuring the implementation of appropriate controls.
- Infringing Instruction: Processing instructions received that are perceived to infringe on applicable legislation and/or regulation must be communicated to the customer.
- Assistance with Customer’s Obligations: Measures must be implemented that assist the customer in complying with the right of individuals.
Benefits of ISO 27701:
- Streamline compliance obligations for ISO 27001 and the GDPR by integrating privacy into your organizations ISMS
- Surpass the competition and attract new customers with a demonstration of increased security and privacy in your organization
- Maintain peace of mind for your current customers that their PII is protected
- Gain a better understanding of the Privacy Information Management Systems (PIMS) implementation process
- Avoid potential fines as the enforcement of privacy protection continues to increase