The Privacy Information Management System, defined by ISO 27701, provides a framework for integrating privacy into organizational practices.
The protection of information across the organization has proven to require a multidisciplinary effort and cross-functional expertise. Over the past years, the privacy domain has become increasingly regulated. Privacy governance remains a complex endeavor in view of regulatory attention, evolving legislation globally and societal maturity.
How ISO 27701 could be a new framework for sustained GDPR compliance
The 2019 IAPP-EY Privacy Survey revealed that next to data breaches, legal and regulatory compliance – especially with the general data protection regulation (GDPR) - assumes a high priority on the Board’s list of privacy concerns. In fact, over 40% of respondents name compliance with privacy laws and regulations as their highest priority. Yet at the same time, just over 40% of the participating privacy professionals indicate that they are only ‘moderately compliant’ with the GDPR. As such, the urgency for enhanced compliance mechanisms becomes apparent.
Across industries, we see that our clients desire a shift from project-based compliance to long-term sustainable privacy practices. The integration of privacy into overall organizational practices in order to streamline processes is a frequent ask, triggered by regulatory enforcement, social responsibility and customer satisfaction. As a means of achieving this ambition, guidance as derived from the sector-agnostic ISO 27701 standard is a way of structuring, monitoring and guiding information processed and stored at the organization.
ISO 27701 in a nutshell
Many organizations are familiar with the ISO 27001:2013 standard which focuses on the creation and maintenance of a so-called information security management system (ISMS). In addition to providing a top-down management view on information security, this standard also offers guidance on the implementation of a set of wide-reaching security controls. Crucially, the new ISO 27701 standard is an expansion to the existing ISO 27001. It broadens the ISMS to include the privacy information management system (PIMS). Thus, it is particularly relevant for organizations that have already implemented an ISMS to consider the privacy-related PIMS expansion.
As an expansion to the ISMS codified in ISO 27001, the new ISO standard broadens ‘information security’ to explicitly include provisions related to privacy. As such, it firmly situates privacy within wider organizational risk management practices and counters the notion that it can be treated as a stand-alone exercise. To allow for successful implementation of ISO 27701, a firm understanding of the organizational context is required. Amongst others, this necessitates that the role as (joint) controller and/or processor is established to specify applicable controls. Moreover, organizations are asked to identify relevant external and internal factors, such as specific local legislative requirements for privacy.
The scope and coverage of ISO 27701
The new 27001 standard comprises a range of provisions that span the lifecycle of privacy management in an organization. To cite a specific example from the standard, the approach on risk management is certainly worth highlighting. To cover the requirement for the PIMS in this respect it is either possible to perform an integrated information security and privacy risk assessment, or conduct these as two separate exercises. Another element to mention is the expansion of the so-called ‘Annex A’ controls of ISO 27001 to include privacy considerations. For instance, this relates to additional security awareness of data breach incident reporting, as well as the need for the information classification system of the organization to explicitly consider Personal Identifiable Information (PII). Thirdly, it is worth stressing that ISO 27701 offers implementation guidance specifically tailored to PII controllers and PII processors, for example with respect to performing Privacy Impact Assessments (PIA), and implementing Privacy by Design measures.
Certification and beyond
For organizations that have already implemented an ISMS, the ISO 27701 standard can serve to expand the existing efforts to include privacy and even achieve a certification for external recognition. In this respect, Article 42 of the GDPR encourages the establishment of data protection certification mechanisms and ISO27701 might serve as such a mechanism, offering benefits multiple ways. Most importantly, it helps demonstrating accountability under the GDPR, thus helping to avoid data breaches and – if a breach happens – potentially decreasing fines.
The implementation of ISO 27701 provides a sustainable mechanism to operationalize compliance through the plan-do-check-act cycle. Due to its wide applicability, all organizations dealing with PII could potentially benefit from a certificate. The standard applies to any type of organization, including public and private companies, government entities and not-for-profit organizations, and for both the PII (joint) controllers as well as the PII processors within an ISMS environment. Certification of ISO27701 as an extension to 27001 is possible, and EY CertifyPoint can assist in this matter.
However, the benefits of ISO 27701 surpass certification. Not striving for certification to ISO27001 should not withhold organizations to make use of the framework. For those organizations looking to implement internationally recognized controls and an acknowledged framework, the new standard can serve as a fruitful starting point to mature organizational privacy processes. Due to the required cross-functional efforts, the need for a structured and consistent approach to implement privacy in business as usual is high. The ISO27701 framework facilitates organizations in this endeavor.
Benefits of employing the standard can be significant. Customer satisfaction and trust can be improved since privacy processes and measures are defined, thereby resulting in more consistent quality and sound privacy safeguards. The definition and optimization of privacy processes can further result in reduced costs and fewer privacy complaints. Moreover, ISO 27701 can support organizations with demonstrating compliance through its evidence-based privacy program to regulators and other stakeholders alike.
In conclusion, ISO27701 is a widely applicable standard and an internationally acknowledged framework that can provide useful guidance for integrating privacy governance into overarching risk management practices. The implementation of the PIMS does not require certification, although it might very well be a target to obtain external recognition for the efforts taken in the privacy space. In this respect, it is even expected that ISO 27701 might serve as the basis for a potential GDPR certification mechanism.