We have good news for those looking for help complying with the GDPR (General Data Protection Regulation): new guidance has been released on how to create effective data privacy controls.
ISO 27701 explains what organisations must do to when implementing a PIMS (privacy information management system).
The advice essentially bolts privacy processing controls onto ISO 27001, the international standard for information security, and provides a framework to establish the best practices required by regulations such as the GDPR.
Organisations that are already ISO 27001 compliant will only have a few extra tasks to complete, like a second risk assessment, to account for the new controls. If you’re not familiar with ISO 27001, now is the perfect time to adopt it.
ISO 27701 and ISO 27001: privacy vs security
The main difference between the two standards is that ISO 27701 deals with privacy and the implementation of a PIMS, whereas ISO 27001 addresses information security and an ISMS (information security management system).
These are related concepts – data privacy violations and information security violations are both generally categorised as data breaches. However, they aren’t identical.
- Information security relates to the way an organisation keeps data accurate, available and accessible only to approved employees.
- Data privacy relates to the way an organisation collects personal data and prevents unauthorised use or disclosure.
For example, if an organisation collects excessive amounts of information on an individual, that’s a privacy violation. The same is true if an unauthorised employee or cyber criminal gets hold of the data.
When building an information security framework, organisations must take extra steps to ensure that privacy concerns are accounted for alongside security issues.
ISO 27701’s approach recognises that by expanding on the clauses of ISO 27001 and controls in Annex A that relate specifically to data privacy, as well as providing two additional sets of controls specific to data controllers and data processors.
It also builds on the principle of information security by directing the reader to the more expansive privacy principles in ISO 29100. These cover a wider range of privacy concerns, including those discussed in data protection regulations internationally.
ISO 27701 and the GDPR
Although it has ‘data protection’ in its name, the GDPR is equally concerned about data privacy.
However, as you will have learned when implementing the Regulation’s requirements, the GDPR doesn’t include guidance on how to do so. This is to prevent it from becoming outdated as best practices evolve and new technologies become available.
That’s all well and good for the long-term, but what are organisations supposed to do right now?
ISO 27701 answers that question, explaining how to ensure data privacy is addressed adequately.
It’s not your only option when it comes to compliance advice, though. ISO 27701’s framework is broad, so that it can help organisations comply with multiple privacy regimes. For example, many organisations might use the Standard to meet the requirements of the CCPA (California Consumer Privacy Act).
If your organisation needs to conform only to the GDPR and DPA 2018, you might find BS 10012 a better option.
However, if you’re looking for something more flexible – perhaps you need to assure non-UK stakeholders that you have adequate privacy controls in place – then ISO 27701 is more suitable.
Download our guide to learn more
This article is based on our free green paper ISO 27701 – Privacy information management systems.
The guide is ideal for organisations that want to advice on how to strengthen their compliance posture and those that are familiarising themselves with privacy concerns and the GDPR.
- How ISO 27701 differs from and complements ISO 27001;
- The structure and requirements of ISO 27701;
- How ISO 27701 can help you achieve compliance with privacy laws like the GDPR and the DPA 2018; and
- Which additional requirements will apply if you already have an established ISMS.