Why ISO 27701 Privacy Information Management System is Developed?

Author: Dacey Lyle

ISO/IEC 27701:2019 is a data privacy extension to ISO 27001. This published information security standard delivers guidance for organizations looking to put in place systems to support compliance with GDPR and other data privacy requirements. ISO 27701, also abbreviated as PIMS (Privacy Information Management System) outlines a framework for Personally Identifiable Information (PII) Controllers and PII Processors to accomplish data privacy. Privacy information management systems are sometimes mentioned to as personal information management systems.

This decreases risk to the privacy rights of individuals and to the organization by enhancing a current Information Security Management System. This standard is a great way of signifying to customers, external stakeholders and internal stakeholders that effective systems are in place to support compliance to GDPR and other related privacy legislation. An experienced consultant or any personnel who is certified and taken ISO 27701 lead auditor training can help any organization to achieve ISO 27701:2019 certification in minimum time frame.

Why was ISO 27701 developed?

ISO 27701 was developed to deliver a standard for data privacy controls, which permits an organization to establish effective privacy data management.

  • The data protection standard:

The Data Protection Act (DPA) came into law to control how personal or consumer data is used by organizations and government agencies. It safeguards individuals and establishes guidelines for the use of personal data. The General Data Protection Regulation (GDPR) seeks to establish a common set of data protection laws for all. Even if they are not in the country where their data is stored, GDPR makes it easier for EU citizens to understand how their data is being used and to file any complaints, should they have a problem with how their information is used. The ISO 27701 Standard delivers the framework for assisting, guiding, and demonstrating compliance with the DPA, GDPR and similar laws and regulations.

  • What’s personally identifiable information?

Personally identifiable information is the data that can be used to specifically recognize a person. By itself, the information may not essentially be sensitive but, when taken in context, this data can lead to a variety of conclusions about an individual or company. Personally identifiable information contains an individual’s name, address, birthday, national insurance number, phone number, email address, and so on. PII may also include electronic identifiers, like IP addresses, geo location tags and ID numbers.

  • What is privacy information management?

Privacy information management covers the methods an organization has for collecting, processing, storage, and destroying personally identifiable information, also known as PII. Putting in place a privacy information management system confirms that organizations comply with regulations like GDPR. The penalty for breaching data protection legislation in the UK and EU can be serious.

  • What are the building blocks of the standard?

ISO 27701 is an extension of ISO/IEC 27001, which is one of the most commonly used international standards for information security management. If organization is already acquainted with ISO/IEC 27001, integrating the new privacy controls of PIMS may be moderately straightforward.