Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
For the first time since 2019, the International Organization for Standardization has updated its international standard for managing privacy compliance programs.
The international standard for "Information security, cybersecurity and privacy protection — Privacy information management systems — Requirements and guidance," ISO 27701, "specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System."
There are several significant changes in the updated ISO 27701. The standard is now a standalone management system, meaning organizations will no longer need to have an ISO 27001 certified Information Security Management System. However, those with an ISMS will be able to integrate the two management systems.
PIMS clauses
The updated standard outlines clauses that set out the high-level requirements of establishing a PIMS, which must be followed and implemented by any organization seeking certification.
Clause 4: Context of the organization. Like many other standards, ISO 27701 requires organizations to fully understand the context of their organization. This is achieved by determining the external and internal issues relevant to the PIMS, understanding the needs and expectations of interested parties — specifically those with interests or responsibilities when it comes to processing personally identifiable information — and determining the scope of the PIMS. This understanding must include the organization's role in relation to PII, either as a controller and/or as a processor.
Clause 5: Leadership. The standard requires organizations to set a clear tone at the top in relation to the PIMS. This includes establishing an internal data privacy policy — not to be confused with the information to be provided to PII principals — and defining roles, responsibilities and authorities.
Clause 6: Planning. The standard establishes requirements to determine the risks and opportunities that need to be addressed to effectively implement the PIMS. It also requires an organization to define a process for identifying, assessing and evaluating risks associated with privacy protections.
Organizations must also define a privacy risk treatment process, including creating a statement of applicability that documents the controls identified as necessary to treat privacy risks. These controls can be taken from Annex A and any other source. Exclusion of any Annex A controls must be justified.
Under Clause 6, organizations must define a set of privacy objectives and detail how they will be measured and monitored.
Clause 7: Support. The standard requires organizations to determine and provide the resources needed to establish, maintain and improve the PIMS. This includes determining and evaluating the competency of anyone doing work under its control that affects the performance of the PIMS.
Organizations must maintain an appropriate level of awareness and communication with employees relating to privacy and the PIMS.
Information required by the standard — such as the data privacy policy, statement of applicability, and framework — must also be maintained and controlled.
Clause 8: Operation. Clause 8 sets out the requirements for performing the risk assessment and risk treatment processes established under Clause 6, and to document the results.
Clause 9: Performance evaluation. The standard requires organizations to monitor and measure the performance of the PIMS. Organizations must determine what, how and when the monitoring and measuring will be conducted.
There are specific requirements to create an internal audit program to ensure an organization complies with the requirements of the PIMS. Similarly, an organization must conduct regular management reviews where senior management reviews the PIMS to ensure continuing suitability, adequacy and effectiveness.
Clause 10: Improvement. The standard requires a commitment to continual improvement of the PIMS. This includes addressing identified non-conformities through the implementation of corrective actions.
Annex A: Controls
Annex A, which is broken into three tables, outlines the controls organizations can apply against the overall organizational privacy risk assessment. Organizations must justify the inclusion or exclusion of any controls.
Table A.1: Controls objectives and controls for PII controllers
- Conditions for collection and processing — includes controls around lawful basis, consent, privacy impact assessments and contracts with processors.
- Obligations to PII principals — includes controls around ensuring organizations meet obligations around privacy rights such as access, correction and erasure.
- Privacy by design and by default — includes controls around purpose limitation, data minimization and storage limitation.
- PII sharing, transfer and disclosure — predominantly focuses on ensuring lawful sharing of PII, including with third parties and across jurisdictions.
Table A.2: Controls objectives and controls for PII processors
- Conditions for collection and processing — includes controls to ensure processors only act under the instruction of the controller and in line with data processing agreements.
- Obligations to PII principals — contains a single control, ensuring the processor provides the controller with the means to comply with obligations around privacy rights.
- Privacy by design and by default — includes controls around the return, transfer or disposal of PII on behalf of the controller.
- PII sharing, transfer and disclosure — similarly focuses on lawful sharing of PII but with the addition of obligations to the controller, such as notification and subcontractors/sub-processors.
Table A.3: Security considerations for PII controllers and processors
- This is a set of controls that have been extracted from ISO 27001 and adapted to be more specific to the protection of PII. These controls will be very familiar to anyone who has worked with ISO 27001.
Key takeaways
The standard is intentionally jurisdiction neutral, meaning it might be a good fit for multinational organizations looking to create a unified privacy management framework.
It remains closely aligned to the EU and U.K. General Data Protection Regulation. The controls provided in Annex A contain many of the requirements of the GDPR — for example, all principles under the GDPR's Article 5 are contained within the controls. Terminology like "PII" and "privacy" are easily substituted for the more comfortable and applicable European concepts.
As with any international standard, the document must be read and absorbed. Do not rely on guidance and commentary. Purchase an official copy of the standard from the ISO Store and read it directly. Then, use articles like this to gain understanding.
ISO 27701 is a "Type A" management system standard, meaning organizations can be certified by an external body as conforming to the standard. However, those seeking certification should ensure they use a certifying body registered with their national accreditation body.
The standard is part of ISO's "harmonized structure," meaning the clauses and terminology match many of its other standards. It can be integrated with other management systems, such as ISO 27001 or ISO 42001.
ISO 27701 offers a flexible framework for privacy management. However, like all ISO standards, it cannot be treated as a substitute for compliance with local laws and regulations.
Organizations may use the standard as a starting point but will still be required to put in a lot of legwork to implement an effective and compliant data protection and privacy compliance program.
Henry Davies, CIPP/E, CIPM, FIP, is the data protection officer at Birdie and is a member of the IAPP's Certification Advisory Board.
