Privacy Information Management System (PIMS) Consulting Service
ISO/IEC 27701 provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002. It specifies PIMS related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.
This assessment is beneficial to all types and sizes of organisations, including public and private companies, government entities and not-for-profit organisations, which are PII controllers and/or PII processors processing PII within an Information Security Management System (ISMS).
What are the potential benefits of implementing the ISO/IEC 27701 standard?
Some potential benefits that an organisation can gain by successfully implementing the ISO/IEC 27701 standard include, but are not limited to:
- Increasing client satisfaction as a result of the organisation being more transparent in their processing of client data
- Building and gaining client trust
- Protecting the organisation’s reputation
- Protecting the confidentiality and preserving the integrity of client data
- Emphasising the importance of dealing with client data
- Improving the technology and procedures for storing and managing client data
- Mitigating any security risks with regard to client data
- Assisting the organisation in demonstrating compliance with GDPR and other data protection laws, regulations, and standards
- Encouraging a continual improvement culture in the organisation
What is the relationship between ISO/IEC 27701 and GDPR?
The relationship ISO/IEC 27701 and GDPR could be summarized as in the following: GDPR Articles 5 to 49 (with the exception of Article 43) are all related to ISO/IEC 27701 requirements, as illustrated in Annex C of ISO/IEC 27701. Article 43, Certification bodies of the GDPR, is excluded from the related ISO/IEC 27701 requirements because it is solely for the accreditation of certification bodies in accordance with GDPR.
Furthermore, complying with a control requirement of ISO/IEC 27701 serves as evidence that a requirement of GDPR is also fulfilled. There are cases where multiple controls of ISO/IEC 27701 cover a specific GDPR requirement and others where one control of ISO/IEC 27701 covers several GDPR requirements. An example is the mapping of the 6.13.1.1 and 6.13.1.5 controls of ISO/IEC 27701 with Article 33 of GDPR. These controls of ISO/IEC 27701 provide guidance on the management of information security incidents, whereas Article 33 of GDPR presents requirements on the notification of a personal data breach to the supervisory authority. These two are linked by all measures, excluding the time frame required to notify the data subjects and the privacy regulators which, as required by law, is a period of 72 hours. This example shows that complying with the ISO/IEC 27701 standard will simultaneously assist the organisation to demonstrate compliance with GDPR. In general, the standard does not give specific details about the measures that should be taken to comply with control objectives and controls, leaving the decision to the implementer/organisation.