What’s the Deal with ISO 27701

A company processing data of millions of customers is required to keep it protected and safe in order to keep its reputation unharmed. There are also a lot of transactions and data transfers that happen between organizations whether it is different offices of the same company or with other outsourcing partners.  In terms of GDPR/ISO 27701, these are controllers or processors of personally identifiable data. When such huge transactions of data happen, data privacy becomes very important. Just having robust controls for data security doesn’t cut it anymore. While data security protects customers from possible hacking attacks, data privacy deals with how the company processes customer data; it’s about data being used for legitimate purposes and this is where most of the customers are concerned about these days.

One of the burning questions that GRSee Consulting gets from our partners these days is for a certification that will prove that they have efficient privacy controls to external and internal stakeholders. Look no further, ISO 27701 is as close as you can get to GDPR compliance.

What is ISO 27701?

ISO 27701 was developed by ISO technical committee in consultation with 25 external bodies, including the European Data Protection Board (EDPB). ISO 27701 specifies requirements for establishing a privacy information management system (PIMS) and includes privacy-specific requirements, control, and control objectives on top of the ISO 27001 requirements and controls. It is an extension to ISO/IEC 27001. It enhances and improves the existing Information Security Management System.

Much like other ISO standards, ISO 27701 divides its content by clause, of which Clauses 5–8 set out the additional requirements and amendments to be applied to ISO 27001.

ISO 27701 requires that the organization recognizes its privacy-specific requirements within its context. Additionally, control guidance for Privacy Information Management System is set out in ISO 27002 which the organizations need to comply with. ISO 27701’s also describes Annex A controls, which are specific to privacy for the purposes of personally identifiable information (PII) controllers and processors. These controls address many of the critical areas of data protection and privacy that are not accounted for by the controls provided in ISO 27001.

It is important to mention here that though ISO 27701 is a complete framework for implementing a privacy management system in the organization, it needs to be implemented along with ISO 27001 as certification can only be obtained under ISO 27001.

How do ISO 27001 and ISO 27701 work together?

ISO 27001 and ISO 27701 go hand in hand. They work together and ISO 27701 cannot be implemented if ISO 27001 is not implemented beforehand. So, if you want ISO 27701 and establish a Privacy Information Management System, you need to also establish an Information Security Management System.

For any company to be ISO 27701 certified, it must have an ISO 27001 system in place.

ISO 27701 and GDPR

Implementing ISO 27701 can help you align with GDPR and other privacy laws and regulations. GDPR provides consumers with the number of rights with the sole aim of providing consumers with more control over their personal information. GDPR focuses on the processing of personal data by the controller and processors and defines a set of rules against that. Similarly, ISO 27701 also makes the PII controllers (one who determines the purposes and methods of processing of personal data) and PII processors (one who processes data) responsible for implementation of controls. While GDPR is quite exhaustive, it doesn’t include any information or guidance related to the implementation of the rights of individuals and the associated principles. ISO 27701 along with ISO 27001 provides the much-needed guidance here. ISO 27701 is a set of best practices with the sole focus on the privacy of information which gives practical advice on how the requirements of GDPR or similar privacy regulations can be met. So, by implementing ISO 27701 and getting yourself certified to it, will ensure that you are meeting most of the requirements of GDPR.

To summarize, GDPR and other privacy laws require organizations to implement multiple measures and controls in order to assure their customer’s privacy but do not provide guidance on how to do so. ISO 27701 provides organizations with guidance on how to develop their PIMS and relevant processes and controls. Also, in the cases where companies not just process a large amount of personally identifiable data but also collaborate and process on behalf of each other, ISO 27701 helps companies be assured of privacy controls of each other.

Implementing ISO 27701 along with ISO 27001 ensures that risk related to security and data breaches is reduced. This also demonstrates to your customers that your company has effective systems in place to protect data of customers and other stakeholders and that the privacy of their data will not be compromised. This increases the trust quotient of your organization and customers would be willing to do business with you.

So, how should you start? If you already have ISO 27001 you are one step closer to ensuring privacy. Check your current status with ISO 27701 by performing a gap analysis and understand what you need to do in order to comply with the latest standards.