Microsoft has launched a new open-source tool mapping ISO's global privacy standard, ISO/IEC 27701, to nine different privacy laws from around the world.
The “Data Protection/Privacy Mapping Project,” as it is named, maps ISO/IEC 27701 to the EU General Data Protection Regulation, California Consumer Privacy Act, Brazil’s General Data Protection Law, Australia’s Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act, Singapore’s Personal Data Protection Act, Hong Kong’s Personal Data Ordinance, South Korean’s Personal info Protection Act, and Turkey’s Data Protection Law.
Privacy teams have been clamoring for such global charts, pinpointing where and how privacy laws line up.
With the number of data protection laws reaching into the hundreds and new legislation introduced weekly, privacy professionals are struggling to keep up. This new initiative could prove useful in addressing this challenge but is certainly not the first such attempt to create a global key to this complex map.
Privacy teams across industry often create their own internal rubrics as compliance reference points and privacy tech vendors incorporate such maps into their own software. As privacy professionals consider this new tool, one important consideration will be whether ISO/IEC 27701, designed intentionally to align with the GDPR, is the right reference point against which to map all these laws.
That question aside, one element that differentiates this initiative is the plan to crowd-source future contributions. While the current version maps the alignment of only nine laws, it is designed as an open-source tool, hosted on GitHub, to which anyone with relevant expertise can contribute.
The project was launched by Alex Li, Microsoft’s director of certification policy within its privacy and regulatory affairs team. Li explained the goal of the project is “to provide the global privacy engineering community a shared understanding of how the ISO/IEC 27701 controls relate to global regulatory requirements.”
When ISO/IEC 27701 was released, it already included a mapping to the GDPR. But, as Li notes, “however prominent, (the) GDPR is one of many data protection regulations. This project aims to engage the global privacy community to expand the scope of mapping to additional regulations to build a shared understanding of regulatory requirements and consistency in regulatory accountability around the world.”
Microsoft has also started hosting workshops with EU data protection authorities to discuss the potential of using ISO/IEC 27701 as the basis of a GDPR certification to achieve a similar aim.
Microsoft has enlisted two initial “data curators” to review and vet submissions of mappings to data protection laws from around the world.
Eric Lachaud, a senior IT consultant and guest researcher at the Department of Law, Technology, Markets, and Society at Tilburg University in the Netherlands, is one of these curators. Lachaud's research, which focuses on the contribution of certification to the data protection regulation, aligns closely with the projects’ goals. He explained his interest in the initiative and value he thinks it offers to the privacy community. “There is a recurring need to bridge regulations worldwide in order to ensure interoperability between the frameworks,” he said, referencing the initiative launched by the French regulatory authority, the CNIL, several years ago to explore alignment between EU binding corporate rules and APEC Cross Border Privacy Rules.
“This tool could help the authorities and practitioners to build, test and possibly recognize 'official' correspondences,” he said, noting the tool “could help to identify certain patterns that could be used by the authorities to draft auditable and certifiable provisions.”
While the project aims to bridge the divide between technical and legal professionals, it could help the broader privacy community better understand how to implement a global privacy program. In the 2019 IAPP-TrustArc Measuring Privacy Operations Survey, 56% of respondents indicated they have a global privacy strategy.
Anecdotally, though, practitioners have said that a hybrid approach is often necessary to reflect local nuances or, in some cases, strategic deviations, such as in markets with data localization requirements.
The release of this open-source tool could help privacy professionals better understand those areas of convergence and divergence in today’s legal landscape. IAPP’s Westin Research Center has also published a mapping of ISO/IEC 27701 to IAPP’s CIPM and CIPP/E certifications to shed light on the professional skill set needed to implement a global privacy standard and will submit the mapping to this new initiative.
To learn more about the new tool or contribute to its development, visit here or, if attending RSA 2020, join our panel discussion on ISO/IEC 27701.