ISO 27701 arrives to guide privacy pros through the complexity of privacy implementation and Privacy by Design.
Within the press release and introduction released last month announcing the world’s first international standard for information privacy management, the International Standards Organization (ISO) noted that: Privacy has become a “significant business concern” Cybersecurity is “a growing concern” Costs of data breaches are rising Legal obligations are “increasingly stringent” Protection of privacy is a “societal need” The quantity and types of PII are increasing… …as are the variety of circumstances where organizations need to co-operate with one another to process it And finally, many organizations are simply not ready and need guidance
Quite a backdrop for a new, and clearly essential, ‘Privacy Information Management System’ (PIMS)!
So what do you need to know about it?
Most importantly, it supplements ISO 27001, the widely-adopted Information Security Management Standard. According to the ISO website, 27001 “is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.”
This is absolutely the right way to think of any PIMS – as an extension to the well-understood and widely-applied practical thinking of an ISMS. The symbiotic link between data security and data privacy is well-documented and obvious. Take the GDPR for example, and how many references there are within it to “technical and organisational measures.”
But still, making this theoretical link a reality – and going a long way towards achieving Privacy by Design in the process – remains complex. Not least because of the lack of a common language between Privacy pros and their IT and Security peers, as our Privacy Rosetta Stone project revealed.
Achieving Privacy by Design should be any data-centric business’ goal, and for that, Privacy and IT & Security need to collaborate effectively. This requires clear and transparent communication, which is notoriously somewhat less than common between the two departments.
But if these two departments cannot communicate between each other clearly, then there is zero chance of the importance, requirements and urgency of privacy being communicated across the wider organization.
Thankfully, ISO 27701 helps bring the two parties together. It creates a common goal for data protection, using language that IT & Security will understand (it is based on “their” 27001 after all), while enforcing the practices that Privacy demands.
It does not totally fix the communication issue that is endemic between the two departments, but then it never intended to. It does however put Privacy into a practical IT & Security context. It outlines practical steps, measures and requirements that stop IT & Security thinking that privacy is not their territory, or worse, solved simply by securing the network.
In essence, implementing ISO 27701 cuts to the chase. It helps you bypass the noise, frustration, misunderstanding and delay of typical Privacy-Security initiatives and help you take meaningful steps faster towards a privacy-centric culture.
It can’t solve the problem entirely. Privacy and IT & Security still both need to work harder to improve the transparency and frequency of their communication, especially in more complex or innovative projects. But ISO 27701 lays strong foundations for effective collaboration and ongoing regulatory adherence.