When the International Standards Organization published earlier this month the world's first international standard to help organizations manage information privacy, it noted that digital privacy has "become a significant business concern."
No doubt this has been demonstrated on the enforcement front in recent months. The U.S. Federal Trade Commission fined Facebook a record $5 billion in the same week that it fined Equifax $575 million. Each settlement also included board-level requirements and obligations. At the same time, supervisory authorities in the EU are beginning to ramp up enforcement actions under the General Data Protection Regulation. To add on, the California Consumer Privacy Act is just months away from implementation. And the cost of data breaches is going up, according to IBM.
ISO/IEC 27701 is an extension of ISO/IEC 27001 — the commonly adopted security standard — and "specifies the requirements for establishing, implementing, maintaining and continually improving a privacy-specific information security management system," ISO's Clare Naden explained in the organization's blog post Aug. 6.
The standard's introductory paragraph paints a broader picture: "[T]he quantity and types of [personally identifiable information] processed is increasing, as is the number of situations where an organization needs to cooperate with other organizations regarding the processing of PII. Protection of privacy in the context of the processing of PII is a societal need, as well as the topic of dedicated legislation and/or regulation all over the world."
The new standard also applies to controllers and processors, as well as "all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations."
"This is an important standard," OneTrust Director of Privacy Andrew Clearwater, CIPP/US, said in a phone interview with the IAPP. OneTrust announced Monday that it is the first organization to achieve ISO 27701 certification.
"One thing stands out: It supplements ISO 27001 and we know that at least 60,000 organizations have certified to date," Clearwater noted, adding a privacy standard to such a commonly adopted security standard "gives privacy a visibility that wasn't there before. It ties risks to solutions within organizations, gives structure to accountability, promotes cross-team work between the security and privacy teams, and will help justify expenses for the privacy office."
Clearwater highlighted that 27701 calls for continual improvement to an organization's privacy management system and that privacy pros will benefit from this. "You can't say that 'we've made our GDPR investment, so let's wait for a new law to pass.' This is something that has to be maintained. The next year we have to show how the PIMS program improved year over year, that management has reviewed them and knows of the improvements," Clearwater said.
"Stagnation is not an option under management standards," he added.
Andreas Wolf, the chair of the ISO/IEC technical committee behind the standard, would agree. "ISO/IEC 27701 defines processes and provides guidance for protecting PII on an ongoing, ever evolving basis. Because being a management system, it defines processes for continuous improvement on data protection, particularly important in a world where technology doesn’t stand still," Wolf said in ISO's announcement.
ISO 27701 "gives privacy a visibility that wasn't there before. It ties risks to solutions within organizations, gives structure to accountability, promotes cross-team work between the security and privacy teams, and will help justify expenses for the privacy office."
The standard also maps well to the GDPR, but significantly, it is jurisdiction-agnostic and can be applied to any jurisdiction around the world. Julie Brill, Microsoft's corporate vice president and deputy counsel of privacy and regulatory affairs, described the standard as "groundbreaking" because "organizations of all sizes, jurisdictions, and industries can effectively protect and control the personal data they handle." She also noted Microsoft will implement the PIMS standard, which "will assist our customers and partners in adopting this interoperable model."
The standard also includes a statement of applicability, along with a set of controls. Since 27701 is an extension of 27001, privacy controls can be integrated with security controls under an integrated management system.
"It's like having two management systems under one roof," Clearwater explained. "I think the result of a combined control set will provide a new way for security and privacy teams to work together. This gives a level of clarity to the security team. These are control statements and security pros love control statements."
Though ISO 27701 maps to the GDPR, it is not yet clear whether it will become a foundation for GDPR certification. In discussing this topic, Clearwater was careful to explain that this is the first ISO management standard to reference material outside of ISO; the appendix includes a section on mapping to the GDPR. "Usually management standards only reference themselves, so for them not to do that signals an intent." But he also said that ISO 27701 is a management standard, and he expects a GDPR mechanism to be a process, like, for example, how best to handle employee data.
In helping to lead the charge for becoming the first organization to achieve the ISO certification, Clearwater has advice on what other organizations should think about when considering the standard. "Get responsible individuals together and review the standard," he said. "Understand the scope of the statement and its applicability and go through all the clauses. Make a decision on whether you are a controller or processor or both [OneTrust is both]."
But the biggest part of it? "You have to have a functioning, well-documented program that will respond to all these requirements. If you're behind on some of this or it's incomplete, this is the time to pick that up. Make sure you're ready for that third-party review and make sure you have real confidence," Clearwater said.
True, the regulatory ecosystem is growing more complex by the day, but ISO 27701 could be a boon to the industry. Matthieu Grall of the French data protection authority, the CNIL, contributed to the development of the standard, and said, "Organizations needs to bring trust to their [supervisory] authorities, partners, customers and employers. Such a standard will contribute strongly to this trust."
Continuous improvement means that organizations using the standard will have to rely on the privacy office, and in turn, the privacy office will have documented proof that supports the need for a bigger budget.
Clearwater said the ISO 27701 certification will likely become "a prerequisite for may business transactions just as ISO 27001 is viewed today." And with that, he said, "This is a moment when, if the management team feels it needs to make an investment, privacy pros should take advantage of this opportunity."
If you want to comment on this post, you need to login.