Privacy is the new security: This is borne out by the increasing public awareness of privacy issues and violations. This, in turn, is reflected in our legislation. Businesses around the world are feeling the dual impact of customer privacy expectations and legislative enforcement. General Data Protection Regulation (GDPR) fines are perhaps a useful gauge as to the impact that privacy is having on organizations. Up to March 2020, there had been almost half a billion euros in fines issued under GDPR.
By Al Mahdi Mifdal, Global ISO Assurance Practice Principal at Coalfire Systems
Understanding how to ensure that personal data is maintained under privacy regulations can be complicated. Data, especially when used across disparate cloud apps, has a complex life cycle. Mapping these data to regulatory requirements is a challenge. That challenge can be met using a structured approach based on standards and frameworks. To this end, ISO/IEC 27701:2019 “Security techniques, Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management has entered the standards lexicon as an expansion of the better-known ISO/IEC 27001:2013 “Information Technology-Security Techniques- Information security management systems-Requirements” and ISO/IEC 27002:2013 “Information technology-Security techniques-Code of practice for information security controls”
Here, I look at what this new standard is about and how it can benefit your business.
What is the Scope of the ISO/IEC 27701:2019 Standard?
ISO/IEC 27701:2019 was published in August 2019 as an addition to ISO/IEC 27001:2013. This new standard acts as an expansion to an Information Security Management Systems (ISMS) to include guidelines on implementing a Privacy Information Management System (PIMS). In doing so, it adds a dimension of privacy to the existing security arrangements.
ISO/IEC 27701 defines the need for an information classification system that includes Personal Identifiable Information (PII). In addition, ISO/IEC 27701:2019 gives guidance for implementation of the standard by both PII controllers and PII processors, including when performing Privacy Impact Assessments (PIA), and using Privacy by Design. This maps the standard closely with the tenets of GDPR.
The standard came about as part of a general global movement towards ensuring that personal data meets privacy expectations. If an organization processes personal data or Personally Identifiable Information (PII), no matter what sector or size your business is, ISO/IEC 27701:2019 will be of benefit.
In terms of laws such as GDPR, the framework can be an invaluable asset. Following the guidelines within ISO/IEC 27701:2019 PIMS, your organization will be able to follow structured implementation and advisories on meeting the various data privacy requirements of GDPR. Having ISO/IEC 27701:2019 certification will certainly help in meeting GDPR, but it also offers a more general validation of your business commitment to privacy.
ISO/IEC 27701:2019 is an extension to ISO/IEC 27001:2013. This means that your organization will either have to already have or be in the process of meeting the ISO/IEC 27001:2013 standard to then work towards expanding to meet ISO/IEC 27701:2019.
4 Business Benefits of ISO/IEC 27701:2019
Acquiring certification, such as ISO/IEC 27701:2019 can be resource intensive for a business. To justify going through the process to achieve any standard, you need to have sound reasons to do so. Because data privacy is such a high-profile issue, the benefits of having ISO/IEC 27701:2019 can be distilled down to:
- Business Benefit One: Having a Framework to Work To
Meeting privacy expectations of customers and of the legislature, such as GDPR, can be a challenge. Privacy can be nuanced and require multiple layers of control and protection applied to personal data. Having a set of well-thought-out guidelines in the form of a framework helps to condense the requirements of a data protection law. ISO/IEC 27701:2019 is an internationally recognized accreditation that helps meet compliance using a structured framework.
- Business Benefit Two: Trust
Trust is a crucial remit of any online system or service that uses personal data. Privacy is a key part of building trust with a customer. If you demonstrate that your service is trustworthy, customers stay loyal. A survey by UK watchdog Ofcom, on attitudes towards online trust, found that 60% of respondents agreed with the statement “people who buy things online put their privacy at risk”. Improving this perception will encourage a more seamless interaction between customer and service. A Privacy Information Management System (PIMS) is designed to measure and map compliance with ISO/IEC 27701:2019, and in turn, help an organization meet the requirements of GDPR.
- Business Benefit Three: Reputation
By showing that your organization has ISO/IEC 27701:2019 certification you demonstrate your commitment to building a trusted service that respects data privacy. Company reputation as a privacy-respectful business is a valuable asset. A Ponemon Institute study demonstrates this, describing how 31% of consumers will stop using a company if a data breach happens.
- Business Benefit Four: Fines
As mentioned at the start of this article, GDPR fines are onerous. On analysis of the figures, CMS Law who runs ‘Enforcement Tracker’, found that most fines were issued because of “Insufficient technical and organizational measures to ensure information security”. By using the ISO/IEC 27701:2019 framework to implement the right privacy measures, you are acting to help reduce your organization’s risk of being issued a GDPR fine.
Since the GDPR came into effect in May 2018, companies have scrambled to get structures in place to meet the laws stringent requirements. This has been a serious challenge and has seen mistakes made and fines issued. ISO/IEC 27701:2019 can help companies to understand how to effectively put in place measures that help to meet GDPR. It is also possible that the PIMS implemented using ISO/IEC 27701:2019 may be used in GDPR certification going forward, so helping with audit during compliance. ISO/IEC 27701:2019 is useful not only for GDPR but for any organization that wants to demonstrate to its user and customer base that it respects their personal data privacy.
About the Author
Al Mahdi Mifdal currently serves as the Global ISO Assurance Practice Principal at Coalfire Systems and manages ISO assurance services and programs for clients worldwide. He is an information security subject matter expert with over 12 years of senior information security compliance and consulting expertise for fortune 500 companies, cloud service providers, Silicon Valley startups and international companies in healthcare, technology, and critical infrastructure sectors. Al Mahdi has extensive experience managing a wide range of consulting projects (Risk Management, Critical Infrastructure Protection, Security Operations Center Design etc.), compliance assessments (PCI, SOC, ISO 27001, HIPAA, etc.).
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.