ISO/IEC 27701 and Difference between Data Controller and Data Processor
The International Organization for Standardization is a nongovernmental organization made up of national standards bodies that grows and allocates a wide range of proprietary, industrial, and commercial standards. In August 2019, ISO published ISO/IEC 27701:2019, a new international privacy standard about protecting and managing the processing of personal data. This ISO 27701 standard is a privacy extension to the existing and widespread industry, which were first published by ISO in 2005. They define how to establish and run an Information Security Management System. Audited ISO certifications are awarded to organizations that have been measured by an independent, external auditor to meet a specific, published standard. Auditors are also qualified themselves with the ISO 27000 series of certifications, to published ISO standards. ISO 27701 Internal auditor training will provide training with certification so it can easily perform an internal audit of any privacy information management system in accordance with ISO/IEC 27701:2019 requirements.
The popularity of the terms data controller and data processor has suddenly increased in recent years. In part because of the significant rise of data breach scandals from tech giants, and in part because of the unprecedented media attention given to the enactment of data privacy regimes, nowadays every organization who possesses any type of personal data is should be afraid with data privacy management. Now information is the most valuable asset, as the means of identifying and targeting audiences, and at a time when access to information is unprecedented both in massiveness and comfort, the response from cybersecurity international experts has been also impartially substantial. Part of these efforts is also the newly published ISO/IEC 27701, which is an international standard delivering guidelines for the implementation, maintenance and constant improvement of a Privacy Information Management System.
What is Data Controller?
There are multiple national and federal regulations and laws that signify and define the term Data Controller. During the 90s a handful of developed countries established and implemented data protection regulations as a response to the global scale that the internet was taking. But the regulation that really popularized the term "data controller" was the GDPR. As a legal requirement to define the scopes and limits of Data Controllers. controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, controls the purposes and means of the processing of personal data.
The data controller is the thing that could be a person or organization or a number of them – that decides on the how and why the data is collected. The GDPR considers the data controller as the primary party responsible for the most significant aspects of personal data. The data collector responsibilities are the management of:
- The collection of the data subject’s consent.
- Revoke requests from data subjects.
- The availability of the information from the data subjects based on the right to information.
- The approval and unequivocal statement of the reason of the collection of the data.
The data controller is almost in all cases held responsible for data breaches or unauthorized access and nonconformity.
What is Data Processor?
processor means a legal person, public authority, agency or other body which processes personal data on behalf of the supervisor. In assessment to previous data privacy regulations and laws, the GDPR extended the responsibilities of data processors and enlarged the number of dimensions where they are to be held accountable.
Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing necessary guarantees to implement appropriate technical and organizational events in such a manner that processing will meet the requirements of this Regulation and confirm the protection of the rights of the data subject. What this means is that, mentioning to the point made above about the collector being the principal responsible party, the controller must choose a processor which is fully obedient with the GDPR. The only way that processors can demonstrate their compliance with the GDPR is complete independent third-party audits, assessments and certification. It is also very significant to mention that the third party itself should be accredited.