ISO 27701 Privacy Management System: How useful is it?

ISO 27701 provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world.  With the maturing of privacy practice, many organisations are looking for a methodology to support the development of a global privacy program. But how useful will this new standard be for those looking for an easy to use, practical, privacy management framework?

Background

The protection of an individual’s personal information is one of their fundamental human rights. Around the world, laws to protect these rights already exist, or are being implemented and strengthened in an environment where the processing of data related to personal lives is becoming increasingly globalized and concern about the handling of personal information is on the rise. The European GDPR is perhaps the best-known data protection law but many other countries, such as Korea, the Philippines and China, are also introducing data protection legislation.

Designing a system to manage compliance with these different requirements is one of the biggest challenges faced by any privacy professional working in a multi-national organisation or an organisation that supports clients across the globe.

Recognising the need for a common set of concepts to address the protection of personal data regardless of specific laws or regulatory requirements, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) created the new ISO 27701 standard to provide such guidance.

ISO 27701 provides a framework for assisting organizations to demonstrate personal data protection and privacy compliance with different laws in a changing regulatory landscape. It is a privacy extension to ISO 27001 Information Security Management and ISO 27002 Information Security Code of Practice.  As an international management system standard, it supports independent certification which can be a useful tool for organizations to add credibility to their commitment to privacy and related obligations.

Benefits of ISO/IEC 27701:

  • International standard likely to be used by organisations around the world
  • Builds trust in managing personal information
  • Facilitates transparency between stakeholders and effective business agreements (by adherence to public standard)
  • Clarifies roles and responsibilities (recognises different roles of controllers and processors)
  • Supports compliance with privacy regulations
  • Reduces complexity by integrating with the leading information security standard ISO/IEC 27001

Issues with ISO/IEC 27701:

  • Must have an ISO 27001 ISMS in place for certification (which can be difficult for the privacy team to push)
  • Provides general guidance but leaves mapping of specific requirements to the implementers
  • Certification does not mean that the organisation is compliant with relevant laws and regulations
  • Can be expensive to implement and maintain
  • Need some familiarity with management system approach to support the planning and implementation phases
  • Potentially supports the conflation of security and privacy

Dependence on ISO 27001

At the highest level, ISO/IEC 27701 injects the consideration of privacy issues into the ISO/IEC 27001 information security management system and provides 60 new privacy controls to be considered as part of the implementation of controls to address identified privacy risks.

An example of how the Standard works is to examine the data breach management controls in ISO/IEC 27701 and the breach notification requirements (article 33) in GDPR. Although the standard’s security incident management controls map generally to the GDPR data breach requirements, the standard does not contain a specific 72-hour notification as required by the GDPR. In order for the practitioners to demonstrate that the organization has implemented a management system that fulfils this particular GDPR requirement, they must show that the organization either has a uniform process in place that would notify the privacy regulator within 72 hours of breach confirmation or has a process to determine if the breach is covered by the GDPR and, if so, trigger the notification within the required timeframe.

The mapping of the standard against regulations and enumerating of unique regulatory requirements and applicable conditions is still left to the privacy professional using ISO/IEC 27701 to verify regulatory compliance against multiple privacy regulations.

ISO 27701 and BS 10012

BS 10012:2017+A1:2018 is a published standard specific to the UK. It provides a best practice framework for a personal information management system that is aligned to the principles of the GDPR. One of the key distinctions between ISO/IEC 27701 and BS 10012 is that ISO/IEC 27701 is structured so that the PIMS is an extension to ISMS requirements and controls specified in ISO 27001, whereas BS 10012 is a standalone set of requirements that an organisation can be certified against (without requiring an existing ISO 27001 certification).  This may be preferable for organisations not interested in pursuing ISO 27001 certification.

Another possible advantage of BS 10012 is that it has been developed to ensure compliance with the GDPR and so includes GDPR specific control recommendations.   For some organisations, particularly those located in the UK, BS 10012 may provide a better approach.  In any case, it is a useful reference for GDPR specific privacy controls.

ISO/IEC 27701 is a potential GDPR certification mechanism

One of the main reasons for considering an ISO 27701 certification is that it may be recognised as a ‘certification mechanism’ under the GDPR. The European GDPR refers to certification mechanisms for demonstrating compliance with regulations (for example, pursuant to Article 42 as a basis for supporting cross border data flows).  Although none have been recognised to date, it is hoped that the ISO 27701 standard may be.

Good or Bad?

Take up so far on ISO 27701 appears to be slow though there is a high level of interest.  Given the low number of ISO 27001 certifications it may be that ISO 27701 suffers the same fate and may be seen as too expensive and time consuming to implement and maintain.  However, if the standard is recognised as a certification mechanism under the GDPR then expect this to change, particularly for Australian organisation who otherwise struggle to meet the cross-border transfer restrictions.

Some resources:

  • More information from BSI here.
  • Purchase a copy of the standard here.

Dr Jodie Siganto

5 May 2020