ISO 27701:2019 and the GDPR
The EU General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA) both rquire organisations to protect and ensure the privacy of any personal data which they process. However, neither the GDPR nor the DPA provide much guidance on what measures organisations should take to safeguard the privacy of that data. This is where ISO/IEC 27701:2019 (ISO 27701) fits in by providing you with a best practice framework to implement a privacy information management system (PIMS) and improve your data protection/data privacy capabilities.
The Standard, which was published in August 2019, provides the requirements and guidance for establishing, implementing, maintaining and continually improving a PIMS as an extension of ISO/IEC 27001:2013 and ISO/IEC 27002:2013. ISO 27701 outlines a framework for personally identifiable information (PII) controllers and PII processors to manage privacy controls so that the risk to individual privacy rights is reduced.
Whilst naturally influenced by the release of the GDPR, ISO 27701 is unique in that it has been designed to provide a framework on how organisations should manage personal information and demonstrate compliance irrespective of which local privacy regime applies, including the GDPR.
Benefits of implementing and certifying against ISO 27701:2019
You will be able to:
- Utilise and maximise your existing ISO 27001 ISMS as part of a privacy compliance framework. In the process, you can reduce complexity by integrating your approach to information security and data protection and negating the need to develop separate information security and privacy management systems.
- Reduce the complexity of maintaining compliance with regulations from multiple jurisdictions around the world. Annex D of ISO 27701, for example, maps against the GDPR and shows how complying with the requirements and controls of the Standard can help meet the obligations of the Regulation. Other annexes of ISO 27701 map to the privacy framework and principles defined in ISO/IEC 29100:2011, as well as ISO/IEC 27018:2019 and ISO/IEC 29151:2017.
- By implementing ISO 27701, you will automatically generate documentary evidence of how you process PII. This evidence can be used by you to demonstrate to senior management, key stakeholders and business partners that you have taken steps to implement appropriate technical and organisational measures to reduce risks and protect PII, as required by the GDPR and other international regulations and laws.
- Address your information security and privacy risks and reduce the time responding to client-requested and contractually required audits. A notable feature of ISO 27701 is its versatility and it is written in such a way that it can be used by organisations of all sizes and from all sectors. The Standard provides clear guidance and differentiates between controllers and processors, so whatever your status you will receive the appropriate advice and guidance in protecting your PII.
- Demonstrate your commitment to protecting client and stakeholder personal data. PIMS certification can help you to build trust with customers, partners and the wider public.
- Benchmark and continually improve your management of personal data against recognised best practice.
- Protect your reputation and minimise adverse publicity.
- Gain competitive advantage when seeking and retaining business.
How do I achieve certification to ISO 27701
If your organisation has already achieved certification to ISO 27001, you should find it relatively straightforward to extend your security efforts to include your processing of PII. ISO 27701 has been designed to be used by both data controllers and data processors alike. If your organisation has not implemented an ISMS, you can implement ISO 27001 and ISO 27701 simultaneously as a single project, but ISO 27701 cannot be implemented as a standalone management system standard.
As one of UK’s leading implementers of ISO 27001 and with its wealth of data protection experience and expertise, URM is uniquely placed to assist you develop and implement a combined information security and privacy management system and achieve certification with ISO 27701. These services range from conducting a gap analysis (where one of URM’s consultants will assess your existing PIMS and compare it against the ISO 27701 requirement) to full lifecycle services. URM also offers a readiness assessment service for those organisations seeking certification. With the full lifecycle implementation services, URM can assist you meeting requirements such as:
- Identifying the boundaries and applicability of your proposed PIMS and reflecting the context of your organization
- Ensuring that your ISMS/PIMS has an appropriate risk assessment process
- Determining the core competency requirements for individuals supporting the operation of your PIMS
- Developing and implementing a training and awareness programme for different types of personnel
- Developing PII specific policies, processes and notices or extending existing IS documents, e.g. security incident policy, PII data retention policy.
- Defining the lawful bases for processing your PII
- Developing and conducting privacy impact assessments (PIAs)
- Defining your approach to ‘privacy by design’ and ‘privacy by default’
- Establishing a process for returning, transferring and/or disposing of PII in a secure manner.
- Planning and establishing a continual improvement process.