The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) drew up a new reference standard in August 2019: ISO/IEC 27701:2019 for privacy information management. The new standard is intended to address the urgent need for companies to meet their privacy regulatory obligations and the need for an increasingly clear and shared regulatory framework.
ISO/IEC 27701 standard represents an important step forward in the definition of certification schemes for the processing of personal data. It provides operational instruments on important technical and organizational aspects that are increasingly left to the free interpretation of each organization by national and European legislation.
Following the entry into force of the General Data Protection Regulation (GDPR), there has been a real quantum leap in the field of privacy due to the express introduction in the sector's legislative system of the key principle of accountability (Article 5 paragraph 2 of the GDPR).
Following this principle, the GDPR requires the data controller to adopt policies and implement appropriate measures to ensure and show evidence that the processing of personal data complies with the Regulation itself.
The Regulation, therefore, does not provide pragmatic instructions but requires the organization to take a proactive and dynamic approach that is not limited to mere regulatory compliance, but it requires the cyclical implementation of the following steps:
- implement measures that make any processing carried out per the provisions of the Regulation;
- adopt legal, technical and organizational measures that provide a guarantee of such compliance;
- base the choice of measures on preventive risk analyses;
- demonstrate the compliance thus guaranteed to all stakeholders involved (e.g. competent Data Protection Authorities, inspection or judicial bodies, DPO, data subjects, etc.).
Due to this extreme freedom granted by the regulation to organizations, at international level ISO and IEC have designed ISO/IEC 27701 standard as a practical instrument for the management of personal information and a useful way to demonstrate compliance with current privacy regulations.
The requirements and controls of the standard are perfectly in line with international technical standards (ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 29100, etc.) and make explicit reference to GDPR for the fulfillment that affect the organization as a data controller and/or data processor.
Why create the new standard?
As already described in our previous article, ISO/IEC 27001 standard allows implementing an ISMS (Information Security Management System) to ensure the security of the company's information assets, through the satisfaction of specific requirements and controls. The latter is better specified in ISO/IEC 27002 which provides guidelines for their implementation.
However, these two standards do not take privacy aspects strictly into account.
ISO/IEC 27701 was developed to implement a specialized ISMS on privacy, defined by the standard as PIMS (Privacy Information Management System). Compliance with the standard will have a tangible effect on the production of evidence. It will facilitate the business and will be able to concretely help the institution to comply with the principle of accountability provided by the GDPR.
Although the standard does not confer certification as provided for in Chapter IV Section 5 of the GDPR, it allows verifying whether the processing carried out by an organization complies with the GDPR.
Content and structure of the standard: clauses, controls, and annexes
ISO/IEC 27701 is an extension of ISO/IEC 27001 and ISO/IEC 27002 standards and must be applied in conjunction with them; the standard starts with an introductory part in which the objectives, scope, other reference standards, and terminology are identified.
Paragraphs 5 to 8 contain the so-called "clauses", i.e. the requirements that must be satisfied and implemented by an organization to be compliant with ISO/IEC 27701; short descriptions of their content will be provided hereafter.
Clause 5 describes the requirements of the PIMS and takes up in detail all the clauses already defined in ISO/IEC 27001 (understanding of context, leadership, support, risk assessment, etc.), and complements them with considerations for the specific aspects of personal data;
Clause 6 below takes over the control guidelines contained in ISO/IEC 27002 and complements them regarding the privacy and data protection area; it is, therefore, detailed guidance for privacy risk mitigation measures.
The following Clauses 7 and 8 are additional conditions for data controllers and data processors respectively; specific aspects are taken into account, including the collection of consent, the PIA (Privacy Impact Assessment) and privacy by design and by default.
The measures to mitigate the privacy risk deriving from the management of the security of personal data (the so-called “controls”) are an extension and specialization of the controls provided for by ISO/IEC 27001. They are reported in Annexes A and B. These controls are all mandatory unless justified and documented (formally) by the organizations (in the document called "Statement of applicability").
In addition, there are the following 6 very useful annexes that report both the technical/organizational measures to mitigate privacy risk and links to other current ISO/IEC standards:
- Annex A: it identifies the controls that must be implemented by a Data Controller;
- Annex B: it identifies the controls that must be implemented by a Data Controller;
- Annex C: it is a mapping of ISO/IEC 27701 clauses with respect to ISO/IEC 29100 Information Technology - Privacy Techniques - Privacy Framework;
- Annex D: it is a mapping of ISO/IEC 27701 clauses against GDPR;
- Annex E: it contains the mapping to ISO/IEC 27018 Information Technology - Security Techniques - Code of Practice for Protection of Personally Identifiable Information (PII) in public clouds acting as PII and to ISO/IEC 29151 Information Technology - Security Techniques - Code of Practice for Personally Identifiable Information Protection;
- Annex F: it describes further ways to apply ISO/IEC 27001 and ISO/IEC 27002 to the privacy domain
In conclusion, it can be stated that ISO/IEC 27701:2019 is an important standard to improve your business and to demonstrate accountability to the privacy legislation in force and also it provides a clear management system useful to all stakeholders (Organizations, DPO, S.A., data subjects) involved in the processing and protection of personal data. Get in touch with our experts for a free call to discuss your cyber security needs.