ISO/IEC 27701 Privacy Information Management Your implementation guide What is ISO/IEC 27701? ISO/IEC 27701 is the international standard for a Privacy Information Management System (PIMS). It’s a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls. It provides guidance and requirements on the protection of privacy, helping both personally identifiable information (PII) processors and PII controllers to put robust data processes and controls in place. This means you can demonstrate accountability for managing PII, instil trust and build strong business relationships. Contents • B enefits • ISO/IEC 27701 clause by clause • BSI Training Academy • BSI Business Improvement Software 2 What kind of organizations can benefit from ISO/IEC 27701? ISO/IEC 27701 is ideal for all types and sizes of organizations who want to demonstrate that they take protecting personal information seriously. Whether you’re a public or private company, government entity or not-for-profit organization, if your organization is responsible for processing PII within an information security management system then ISO/IEC 27701 is for you. Specific organizational roles include: • PII controllers (including those who are joint PII controllers) • PII processors Benefits of ISO/IEC 27701 Supports compliance with privacy regulations Builds trust in managing PII Facilitates effective business relationships Reduces complexity by integrating with ISO/IEC 27001 Clarifies roles and responsibilities The key requirements of ISO/IEC 27701 Clause 1: Scope Clause 3: Terms and definitions This sets out the requirements for the management system and its intended application. This section provides a couple of additional definitions for important terms used throughout the standard that are not included in ISO/IEC 27000 and ISO/IEC 29100 ISO/IEC 27701 is aimed at providing requirements and guidance to establish, implement, maintain and improve a privacy information management system in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002. Focused on both PII controllers and PII processors who hold responsibility and accountability for processing PII. Clause 4: General This clause ‘sets the scene’ for ISO/IEC 27701. It provides an overview of the documents structure and indicates, at a high-level, the location of PIMS specific requirements in relation to ISO/IEC 27001 and ISO/IEC 27002 Clause 2: Normative references Normative references are documents referred to throughout a standard. For ISO/IEC 27701 these include: ISO/IEC 27000 Information security management systems – overview and vocabulary ISO/IEC 27001 Information security management systems – requirements ISO/IEC 27002 Code of practice for information security controls ISO/IEC 29100 Privacy framework 4 Clause 5: PIMS specific requirements related to ISO/IEC 27001 This clause is all about extending information security requirements from ISO/IEC 27001 to incorporate the protection of privacy. As part of the context of the organization, you need to determine your role as a processor and/or controller and consider the impact of internal and external factors such as privacy specific regulations and contractual requirements. Depending on your role, relevant controls from Annexes A and/or B need to be implemented and applied to your existing statement of applicability. You must also consider interested parties associated with processing PII, the scope of your PIMS and how you’ll effectively implement, maintain and continually improve the system. Requirements for leadership, planning, support, operation, performance evaluation and improvement from ISO/IEC 27001 must be considered and extended as appropriate to ensure the protection of privacy. In particular, risks to information and processing of PII must now be assessed and treated appropriately. Clause 6: PIMS specific guidance related to ISO/IEC 27002 This clause is all about extending information security guidance from ISO/IEC 27002 to incorporate the protection of privacy. For example, organizations need to consider the additional implementation guidance around information security policies to incorporate relevant privacy statements, based on compliance, contractual and stakeholder requirements. Clearer guidance is provided on roles and responsibilities in relation to PII processing. This includes awareness of incident reporting and the consequences of a privacy breach. Guidance to ensure consideration of PII within your information classification is provided. You must understand the PII your organization processes, where it is stored and the systems it flows through. People must also be aware of what PII is and how to recognize it. More detailed implementation guidance is included on incident management, removable media, user access on systems and services that process PII, cryptographic protection, re-assigning storage space that previously stored PII, back-up and recovery of PII, event log reviews, information transfer policies and confidentiality agreements. Plus, guidance in this clause encourages you to consider PII up front before data transmission on public networks, and as part of system development and design. Importantly, supplier relationships, expectations and responsibilities need addressing. Clause 7: Additional guidance for PII controllers This clause covers PIMS specific implementation guidance for PII controllers. It relates to controls listed in Annex A. For example, you need to identify the specific purposes for the PII you process and have a legal basis for processing it to comply with relevant laws. Updates should be made if the purpose for processing PII changes or extends. Guidance also outlines considerations of special category data and consent requirements, privacy impact assessment requirements to minimize risk to PII principals, contracts with PII processors and clear roles and responsibilities with any joint controllers. You should make it clear to individuals whose PII you process why and how you process it, with a contact point for any requests. Detailed guidance is included on consent, withdrawals and PII access, correction or erasure. Third party obligations, handling requests and automated decision-making guidance is also provided. Finally, privacy by design for processes and systems should consider minimum requirements for collection and processing, the accuracy and quality of PII, limitations on the amount collected based on the purpose of processing and end of processing requirements. Importantly, PII sharing, transfer and disclosure guidance is outlined to help you transfer between jurisdictions with supporting records. Clause 8: Additional guidance for PII Processors This clause covers PIMS specific implementation guidance for PII processors. It relates to controls listed in Annex B. For example, customer contracts should address your organization's role as a PII Processor to assist with customer obligations, including those of PII principals. Prior consent must be made to use PII data for marketing and advertising purposes. Detailed guidance on helping your customer respond to individual requests, managing temporary files created during processing, returning, transferring or disposing PII securely and appropriate transmission controls are included. Finally, PII sharing, transfer and disclosure guidance is detailed to address jurisdictional transfers, third-party and sub-contractor requirements and management of legally binding PII disclosures. Guidance is outlined to identify and maintain the necessary records to help demonstrate compliance with agreed PII processing you conduct. Annexes A number of Annexes are included in ISO/IEC 27701. Annexes A and B are for controllers and processors respectively, whilst annexes C – F provide additional knowledge that can support with setting up and operating an effective PIMS. Annex A Annex B A list of controls for PII controllers. A list of controls for PII processors. Not all controls will be required, however a justification for excluding any control is required in the statement of applicability Not all controls will be required, however a justification for excluding any control is required in the statement of applicability Annex C Annex D Mapping of controls for PII controllers to the ISO/IEC 2900 privacy principals. Mapping of ISO/IEC 27701 clauses to GDPR articles 5 to 49 (except 43). This shows an indication of how compliance to requirements and controls of ISO/IEC 27701 relate to the privacy principals in ISO/IEC 29100 This shows how compliance to requirements and controls of ISO/IEC 27701 can be relevant to fulfil obligations of GDPR Annex E Annex F Mapping of ISO/IEC 27701 clauses to: Details how to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002. • • 6 ISO/IEC 27018 requirements for PII processors in public clouds ISO/IEC 29151 for additional controls and guidance for PII controllers. It clearly maps the extension of information security terms to incorporate privacy and includes some examples for application Train with BSI BSI is a world leader in helping clients develop the knowledge and skills they need to embed excellence in their organizations. Whether your organization is going to certify or is simply looking to implement a privacy information management system, our training courses will help you embed the knowledge and maximize your ISO/IEC 27701 performance. ISO/IEC 27701 courses include: ISO/IEC 27701 Requirements ISO/IEC 27701 Internal auditor • One day • One day • Learn what a PIMS is and understand the ISO/IEC 27701 requirements • As an existing ISO/IEC 27001 auditor, learn how to conduct audits against ISO/IEC 27701 ISO/IEC 27701 Implementation • Two days • Get the skills to implement an ISO/IEC 27701 privacy information management system BSI Business Improvement Software Gain insight and deliver continual improvements Ensure you get the most from your ISO/IEC 27701 investment with our Business Improvement Software – a solution that can help you effectively manage your privacy information management system. With preconfigured ISO content, it gives you the tools and information necessary to manage essential elements of your PIMS. The start of your ISO/IEC 27701 journey is an ideal time to implement BSI Business Improvement Software and benefit from: • Effective document control • Visibility of site and certificate performance • Ability to log, track and manage actions related to audits, incidents/events, risk and performance • Insight into trends that help you make business decisions to drive improvement through its customizable dashboards and reporting tools 7 Why BSI? For over a century BSI has championed what good looks like and driven best practice in organizations around the world. This includes the production of BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there, addressing the new emerging issues such as cyber, cloud security and now privacy with ISO/IEC 27701. That’s why we’re best placed to help you. With the technical know-how and network of industry experts, academics and professional bodies, we are committed to drive the privacy agenda for both organizations and society. To learn more, please visit: bsigroup.com Find out more Call: +44 (0)345 080 9000 Visit: bsigroup.com Copyright © 2019, The British Standards Institution. All rights reserved. BSI is the business improvement company that enables organizations to turn standards of best practice into habits of excellence. Working with over 86,000 clients across 193 countries, it is a truly international business with skills and experience across a number of sectors including automotive, aerospace, built environment, food, and healthcare. Through its expertise in Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI improves business performance to help clients grow sustainably, manage risk and ultimately be more resilient. BSI/UK/1651/SC/1119/EN/GRP About BSI Privacy matters Managing personal information with ISO/IEC 27701 A BSI whitepaper for business Privacy matters Introduction Digitalization, globalization and personalization of services, from booking a doctor’s appointment to internet banking, have led to greater collection and processing of personal information than ever before. And this trend is growing as opportunities for new services arise, and new players enter the market. There are now so many different platforms people use as part of their daily routine where personal information is collected such as the growth in mobile applications, loyalty schemes, connected devices and location-based advertising. This means we are regularly handing over our data without thinking it through, creating more data flows than ever before. And whether it’s dating sites, telecoms providers or public service organizations, there is barely a day that goes by when you look at the news and don’t see reference to a data breach where personal records have been compromised. This has only increased the focus on issues surrounding the misuse of personal information, meaning organizations cannot afford to be complacent. Greater awareness of these issues has led to growing concern, among both individuals and governments, around how personal data is collected, used and protected; in response, some governments have proposed or enacted new regulations aimed at providing guidelines and requirements for treatment of personal data. Within Europe, the introduction of the General Data Protection Regulation (GDPR) provides a harmonization of data privacy laws that reflect the realities of the digital world we now live in. Many other countries, such as Korea, Australia and China, are also creating data protection legislation. In anticipation of the increased regulatory environment and a need for a common set of concepts to address the protection of personal data, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have taken the initiative to create standards to provide such guidance. These standards have the benefit of providing frameworks for assisting organizations to demonstrate personal data protection and privacy compliance with different laws in a changing regulatory landscape. Certification may also be a useful tool for organizations to add credibility to their commitment to privacy and related obligations. bsigroup.com Managing personal information Given the dynamic environment in which we operate, the need for guidance on how organizations should manage and process data to reduce the risk to personal information is getting more important. Guidance, in the form of a new international standard, for how organizations should manage personal information and assist in demonstrating compliance with updated privacy regulations around the world is therefore very powerful. That’s why ISO/IEC 27701 for privacy information management has been developed. What is ISO/IEC 27701? This new international standard is officially called ISO/IEC 27701 (Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines). As many organizations have implemented an Information Security Management System (ISMS) based on ISO/IEC 27001 and using the guidance from ISO/IEC 27002, it’s a natural step to provide guidance for the protection of privacy that builds on this strong foundation. ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 and provides additional guidance for the protection of privacy, which is potentially affected by the collection and processing of personal information. The design goal is to enhance the existing ISMS with additional requirements in order to establish, implement, maintain and continually improve a Privacy Information Management System (PIMS). The standard outlines a framework for personally identifiable information (PII) controllers and PII processors to manage privacy controls so that risk to individual privacy rights is reduced (see Table 1). These additional requirements and guidance are written in such a way that they are practical and usable by organizations of all sizes and cultural environments. Table 1 – Personal information management roles PII Controller PII Processor Collects personal information and determines the purposes for which it is processed. Processes personal information on behalf of and only according to the instruction of the PII controller. More than one organisation can act as PII controller often known as co-controller, and this is where data-sharing agreements may be necessary. How ISO/IEC 27701 helps PII Controllers How ISO/IEC 27701 helps PII Processors • Provides best practice guidance • Provides best practice guidance • Gives transparency between PII controllers • Gives reassurance to customers that PII is effectively managed • Provides an effective way to manage PII processes 3 Privacy matters ISO/IEC 27701 developing the standard ISO/IEC 27701 was drafted by the ISO/IEC Working Group responsible for ‘Identity Management and Privacy Technologies’. Its development was led by a BSI-nominated Project Editor and BSI was appointed by the UK Government as the National Standards Body and represented the UK interests at both the ISO and the IEC. It’s intended that organizations will certify to ISO/IEC 27701 as an extension to ISO/IEC 27001 management system. In other words, organizations planning to seek an ISO/IEC 27701 certification will also need an ISO/IEC 27001 certification. This demonstrates commitment to both information security and privacy management. How ISO/IEC 27701 fits in Requirements and guidance for the protection of personal information vary depending upon the context of the organization and where national laws and regulations are applicable. ISO/IEC 27001 requires that this context be understood and taken into account. ISO/IEC 27701 gets more specific. It includes mappings to: •• the privacy framework and principles defined in ISO/IEC 29100 •• ISO/IEC 27018 and ISO/IEC 29151, which both focus on PII However, all these mappings need to be interpreted to take into account local laws and regulations. It is also worth noting that ISO/IEC 27701 is applicable to all organizations that act as processors, controllers or both; ISO/IEC 27018 applies specifically to public cloud providers. BS 10012:2017+A1:2018* is a published standard specific to the UK. It provides a best practice framework for a personal information management system that is aligned to the principles of the European Union (EU) GDPR. One of the key distinctions between ISO/IEC 27701 and BS 10012 is that ISO/IEC 27701 is structured so that the PIMS can be considered an extension to ISMS requirements and controls. ISO/IEC 27701 can be used by PII controllers (including those who are joint PII controllers) and PII processors (including those using subcontracted PII processors). An organization complying with the requirements in ISO/IEC 27701 will generate documented evidence of how it handles the processing of personal information. This evidence may be used to facilitate agreements with business partners where the processing of personal information is mutually relevant. This might also assist in relationships with other stakeholders. The use of ISO/IEC 27701 in conjunction with ISO/IEC 27001 can, if desired, provide independent verification of this evidence, although compliance with these documents cannot be taken as compliance with laws and regulations. Benefits of ISO/IEC 27701 •• •• •• •• •• •• Gives transparency between stakeholders Helps build trust Provides a more collaborative approach More effective business agreements Clearer roles and responsibilities Reduces complexity by integrating with ISO/IEC 27001 *An amendment to BS10012:2017 was published 2018 (BS 10012+A1:2018). This amendment covers minor changes to some clauses of BS10012:2017; these changes have been made to reflect the UK Data Protection Act 2018. bsigroup.com To validate that the adequate operational controls from the standard are implemented consistently, to carry out the compliance requirements of relevant privacy regulations, measures must be taken to: 1. 2. 3. map the relevant regulatory requirements against the standards controls enumerate specific regulatory requirements that are not already fully captured by the standard controls and the conditions to which the requirements become applicable incorporate the above into the risk assessment process in the audit cycle A good example to examine is the data breach management controls in ISO/IEC 27701 and the breach notification requirements (article 33) in GDPR. By all measures, the standard’s security incident management controls mapping squarely with the GDPR data breach requirements. But the standard does not contain a specific 72-hour notification as required by the law. In order for the practitioners to demonstrate that the organization has implemented a management system that fulfils this particular GDPR requirement, they must show the auditors that the organizations either have a uniform process in place that would notify the data subjects and the privacy regulators within 72 hours of breach confirmation or has a process to determine if the breach involves European citizens or if the breached data processing took place in Europe and, if so, trigger the notification within the required timeframe. The mapping of standard against regulations and enumerating of unique regulatory requirements and applicable conditions are the necessary mechanisms to which controllers and processors can use ISO/IEC 27701 to verify regulatory compliance against multiple privacy regulations. 5 Privacy matters Data privacy laws As the challenge increases for organizations to keep data secure and minimize the risk of a breach, it’s unsurprising to see privacy laws evolving to keep up with the changing business landscape. Most notably, the EU GDPR has received a lot of attention. The GDPR is EU law for the preservation of fundamental rights and freedoms that everyone has the right to the protection of personal information concerning them. These rights must also be preserved in respect of data processing activities and the free flow of personal information between EU Member States. The processing of data should be for the benefit of the natural persons that the data belongs to. Similar laws exist around the world to protect the personal information and rights of citizens, including some sector-specific requirements such as healthcare, retail and banking. Healthcare sector As a sector that collects some of the most sensitive personal information, healthcare-specific data protection laws are very prominent. For example, there is the French Public Health Code (Article L.1111-8) that requires service providers who host certain types of health/medical data to be accredited for this activity. And the Health Insurance Portability and Accountability Act in the United States sets the standard for sensitive patient data protection and requires U.S. health plans, healthcare clearing houses and healthcare providers, or any organization or individual who acts as a vendor or subcontractor with access to personal health information, to comply. It is also important to highlight the European Digital Single Market. This is a policy, announced in 2015, that covers digital marketing, e-commerce and telecommunications. It aims to open up opportunities for people and businesses, breaking down existing barriers. It has three core pillars: •• Access to online products and services •• Conditions for digital networks and services to grow and thrive •• Growth of the European digital economy It facilitates cross-border data processing and commerce. However, differences in data privacy laws across member states of Europe were recognized as a barrier to the European Digital Single Market being a success. Therefore, the introduction of GDPR to help harmonize data privacy across all of Europe is a positive step change. bsigroup.com Certification mechanisms to help demonstrate compliance with data protection laws The GDPR encourages data protection certification mechanisms and data protection seals and marks to be established to help demonstrate compliance with the regulations of processing operations by controllers and processors (GDPR (EU) 2016/679, Article 42). Plus, such certification or seals can be used to show that an organization has taken the right measures to handle personal information in a way that aligns with the GDPR. Consistent certification mechanisms can bring the allimportant ‘accountability’ factor into the picture, facilitating the reduction of risk and improving the free flow of personal information. This helps organizations provide useful services, whilst increasing transparency of the process and showing integrity to customers on the protection of personal information as illustrated in Figure 2. It also brings to the surface the importance of data processing to supply chain management, as the controller is responsible for the data from cradle to grave. Consider a product such as a credit card that is co-branded by an airline and a bank. Customer information from both sides would need to be exchanged to identify which customers are likely to take up such a product. The exchange of a customer’s personal information introduces a risk. How does each side verify that the other will adequately protect their customer’s data? The risk is exacerbated as further players are involved. A marketing company may be contracted to target customers, perhaps even buying adverts on a social media platform. A cloud service might also be used by the marketing company to store and process data related to this marketing campaign. Certification can serve as an independent verification that will prove the effectiveness of the process and controls the organization uses to assess the risk of exchanging personal information between organizations throughout the supply chain. However, as depicted in Figure 2(a), if one organization uses a certification scheme in one jurisdiction, and another is certified to a different scheme that is applicable in another jurisdiction, this may not provide the necessary assurance or level of trust to business partners that personal information belonging to their customers is being properly treated. Given the global nature of business, a consistent and uniform assurance mechanism is required to show that organizations comply with regulations, protecting personal information and providing an enabler for business growth as depicted in Figure 2(b). A common GDPR certification recognized across jurisdictions and industry verticals is necessary to mitigate risk and lower barriers to trade between commercial partners. 7 Privacy matters Figure 2 – Enabling commerce through consistent data privacy certification mechanisms. (a) Fragmented certification between organizations. (b) Consistent certification bsigroup.com This sentiment is echoed by the European Union Agency for Network and Information Security (ENISA) which recently published recommendations on certification for GDPR [ENISA: Recommendation on European Data Protection Certification, Version 1.0, November 2017; https://www.enisa.europa.eu/ publications/recommendations-on-european-data-protectioncertification]. ENISA state that certification, seals and marks have a significant role to play in enabling data controllers to achieve and demonstrate compliance of their processing operations with GDPR provisions. ENISA recommends that national certification bodies and supervisory authorities under the guidance and support of the European Commission and European Data Protection Board should pursue a common approach on inception and deployment of GDPR certification mechanisms. They also recommend that the approach is scalable and uses approved and widely adopted criteria. Consistency and harmonization of certification mechanisms across Europe are emphasized, and the trustworthiness and transparency are reinforced as important traits of the certification process. ISO/IEC 27701 is a potential certification mechanism ISO/IEC 27701 addresses the recommendations above, and it’s anticipated, could be used as the basis of a certification mechanism (as stipulated by Article 42). If used in such a way, it would provide the necessary proof that an organization treats the personal information of its customers in compliance with the law, including for the case of cross-border data flows. ISO/IEC 27701 is applicable to organizations of all sizes and cultural environments. It is for the collection and processing PII of both employees and customers. The set of controls being developed extends technical measures for implementing information security to also address privacy requirements and, if implemented by an organization, can assist in demonstrating compliance with data privacy laws such as GDPR. Therefore, demonstrating compliance with the controls in ISO/IEC 27701 and generating the required documentation as evidence of how an organization handles PII can: •• significantly reduce compliance workloads by negating the need to support multiple certifications •• increase trust between organizations and customers by demonstrating compliance with data privacy laws •• generate evidence that Data Protection Officers can provide to senior management and board members to show their progress in privacy regulatory compliance •• increase the opportunities for business and commerce through the EU Digital Single Market and cross-border data flows Furthermore, the intended application of ISO/IEC 27701 is to augment the existing ISMS with privacy-specific controls and create a PIMS that enables effective privacy management within an organization. With a well-established network of auditors providing certification against ISO/IEC 27001, which is commonly accepted as a successful standard for information security, ISO/IEC 27701 is in a very good position to be integrated into existing audit processes. ISO/IEC 27701 was developed through recognized consensusdriven processes; this is one of the key tasks in developing the standard. There has been input and review from a range of industry and regulatory stakeholders; this includes participation and review by the European Data Protection Board (previously, the Article 29 Working Party), consisting of Data Protection Authorities (DPA) from all EU countries. DPAs, as well as accreditation bodies for auditors, will need to be satisfied that a certification mechanism based on ISO/IEC 27701 adequately assists organizations from all industry sectors and of all sizes to demonstrate compliance with privacy regulations. Additionally, a certification mechanism must address the needs of controllers and processors, both of which have numerous controls defined for them in ISO/IEC 27701. 9 Privacy Matters Importance of stakeholder engagement As previously mentioned above, ISO/IEC 27701 is an extension to ISO/IEC 27001, and the standard is structured in the ISO management systems convention (commonly referred to as ‘Annex SL’), allowing multiple management systems to be implemented more efficiently by an organization. Figure 3 shows the landscape of stakeholders and the importance of their roles. By already working with the existing ISO/IEC 27001 ISMS, all these stakeholders will be in a very good position to work with ISO/IEC 27701. They all share common objectives on personal information management and the need for a recognized approach to show it is being taken seriously, which is where the role of ISO/IEC 27701 comes in. Figure 3 – Stakeholder landscape for certification based on ISO/IEC 27701 (source: Microsoft). Implement PIMS Help the DPA and National accreditation authorities carry out GDPR articles 42 and 43 Processors Consultants Common objectives Implement PIMS • Demonstrate the visibility of PIMS in scale across the market. • Encourage to adopt pan-European GDPR certification. • Demonstrate to the market that PIMs holds up as a comprehensive GDPR evidence set. Initiate and carry out certification processes Auditors DPAs Controllers Provide a network of accredited Auditors and Consultants to assure consistent baseline across Europe and the World bsigroup.com Conclusions To conclude, managing personal information in compliance with the evolving regulatory landscape is complex but cannot be ignored. The protection of an individual’s personal information is one of their fundamental human rights. Laws exist around the world to protect these rights in an environment where business and data related to personal lives are becoming increasingly globalized. The European GDPR has been introduced to ensure that collection and processing of PII are conducted lawfully, and it supports the crossborder data flows required to enable the EU Digital Single Market. The European GDPR recognizes that certification mechanisms for demonstrating compliance with regulations go a long way to increasing trust in how organizations treat personal data, whilst creating business opportunities through providing assurance between organizations. This is especially true if certification is implemented consistently between EU member states and beyond the borders of Europe to enable global commerce and business. The introduction of ISO/IEC 27701 is a necessary addition to the existing standards portfolio. Implementing the controls specified in ISO/IEC 27701 should enable an organization to document evidence on of how it handles the processing of personal information. Such evidence may be used to facilitate agreements with business partners where the processing of personal information is mutually relevant and in the event of gaining a widely accepted certification mechanism, can assist in demonstrating compliance with data protection laws such as GDPR. 11 Privacy Matters Working with over 86,000 clients across 193 countries, BSI is a truly international business with skills and experience across a number of sectors including automotive, aerospace, built environment, food, and healthcare. Through its expertise in Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI improves business performance to help clients grow sustainably, manage risk and ultimately be more resilient. Our products and services Knowledge Assurance Compliance The core of our business centres on the knowledge that we create and impart to our clients. In the standards arena we continue to build our reputation as an expert body, bringing together experts from industry to shape standards at local, regional and international levels. In fact, BSI originally created eight of the world’s top 10 management system standards. Independent assessment of the conformity of a process or product to a particular standard ensures that our clients perform to a high level of excellence. We train our clients in world-class implementation and auditing techniques to ensure they maximize the benefits of standards. To experience real, long-term benefits, our clients need to ensure ongoing compliance to a regulation, market need or standard so that it becomes an embedded habit. We provide a range of services and differentiated management tools which help facilitate this process. Find out more about ISO/IEC 27701 with BSI BSI UK 389 Chiswick High Road London W4 4AL United Kingdom T: +44 345 086 9001 E: [email protected] bsigroup.com Call 0345 080 9000 or visit bsigroup.com/iso27701-UK © 2019 The British Standards Institution. All Rights Reserved. BSI has been at the forefront of information security standards since 1995, having produced the world’s first standard, BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there, addressing the new emerging issues such as privacy, cyber and cloud security. That’s why we’re best placed to help you BSI/UK/1591/SC/0719/EN/GRP Why BSI? ISO/IEC 27701 Privacy Information Management System Accountability and trust for personal information Protecting personally identifiable information (PII) has never been so important. Individual privacy rights allow people to decide how their personal data is managed and increasingly organizations have a legal obligation to respond. Where the quantity of sensitive information has multiplied and the use of technology makes it easier to transfer and more readily available, organizations need to respond. And that’s where ISO/IEC 27701 can help. What are the benefits of ISO/IEC 27701? ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls. An international standard for a privacy information management system (PIMS), it provides guidance on the protection of privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy regulations around the world. It helps both PII processors and PII controllers to put robust data processes and controls in place, which means you can not only demonstrate accountability for managing PII but instil trust and build strong business relationships. Strategic governance Organizations need the agility to respond to changing technologies and associated regulations. That’s where top management engagement and alignment with your organization’s strategy is key. ISO/IEC 27701 provides a governance framework for managing PII. It builds upon internationally recognized information security governance, and both require top management engagement. Privacy compliance Privacy laws and regulations differ between country and state. They focus on an individual’s nationality, as well as where they live, which can add a layer of complexity for organizations who operate in a global context. ISO/IEC 27701 requires the context of PII processing to be understood and accounted for to ensure organizations respond to all relevant jurisdictional differences. Relationship management It’s never been so important for alignment between business partners and stakeholders. The transfer of data and sharing of PII between different organizations and countries needs clear agreements, as well as defined roles and responsibilities. ISO/IEC 27701 requires processes to be agreed and provides guidance on the different roles and responsibilities for processors and controllers to help facilitate relationships. An integrated approach ISO/IEC 27701 has been developed to minimize the complexity of multiple stand-alone systems. It extends ISO/IEC 27001 for information security and uses the ISO high level structure (HLS) that brings a common framework to all management systems. By implementing a PIMS, you not only gain great effectiveness and efficiencies with your information security management, but you can integrate with other popular systems such as ISO 22301 business continuity management. At BSI we have the experience, the experts and the support services to help you get the most from ISO/IEC 27701. ISO/IEC 27701 certification journey Whether you’re new to privacy management or looking to enhance an existing information security and privacy system, certification to ISO/IEC 27701 provides confidence and trust in the way you manage privacy. It demonstrates you have taken accountability for processing PII in a secure and compliant way. No matter where you are in your journey, our team are on hand to support. Surveillance audits Privacy Information Management System development Get a copy of the standard Application Stage one assessment audit Optional gap assessment Stage two certification audit Audit report Onsite Certification Privacy Information Management continuous development Corrective actions Management system software Capture and manage your audits, findings, incidents and risks BSI/UK/1637/SC/1019/EN/GRP Our ISO/IEC 27701 journey builds upon ISO/IEC 27001 certification. If you’re certified to ISO/IEC 27001, talk to us about the option of combined audit days. Privacy information management training courses Get the skills to maximize ISO/IEC 27701 for your organization. Our training courses will help you understand the ISO/IEC 27701 standard and the agreed terms and definitions. You can build on this knowledge to learn how to implement or audit a PIMS so it delivers value for your organization. Our courses include: • ISO/IEC 27701 Requirements – one day introduction • ISO/IEC 27701 Implementation – two day implementation techniques • ISO/IEC 27701 Internal auditor – one day course for existing ISO/IEC 27001 auditors to learn ISO/IEC 27701 auditing techniques Our courses use a high-impact, accelerated learning approach, proven to enhance knowledge retention and skill application. Why BSI? For over a century BSI has championed what good looks like and driven best practice in organizations around the world. This includes the production of BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there, addressing the new emerging issues such as cyber, cloud security and now privacy with ISO/IEC 27701. That’s why we’re best placed to help you. With the technical know-how and network of industry experts, academics and professional bodies, we are committed to drive the privacy agenda for both organizations and society. For more information on ISO/IEC 27701 from BSI please contact your local office. Details available at: bsigroup.com ISO/IEC 27701 International Privacy Information Management System August 2019 ISO/IEC 27701 Privacy Information Management Comparing ISO/IEC 27701 and BS 10012 Mapping guide Privacy Information Management - comparing ISO/IEC 27701 and BS 10012 Mapping ISO/IEC 27701 to BS 10012:2017 BS ISO/IEC 27701:2019 Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management -- Requirements and guidelines specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to information security standards BS EN ISO/IEC 27001 and BS EN ISO/IEC 27002. It’s the first international management system standard to help organizations manage personally identifiable information and respond to jurisdictional differences in privacy regulations globally. However, BS 10012 Data protection - Specification for a personal information management system is a British standard aligned to the GDPR and UK Data Protection Act 2018 that’s used by organizations globally to put processes and controls in place to manage personal information. This guide shows how the different clauses in ISO/IEC 27701 map to the clauses in BS 10012. It’s designed for guidance purposes only and aims to help you understand the degree of correspondence between the two standards and the different ways they express privacy requirements. ISO/IEC 27701 clause 2 ISO/IEC 27701 topic BS 10012 topic BS 10012 clause 5.2.1 Understanding the organization and its context Understanding the organization and its context 4.1 5.2.2 Understanding the needs and expectations of interested parties Understanding the needs and expectations of interested parties 4.2 5.2.3 Determining the scope of the information security management system Determining the scope of the personal information management system 4.3 5.2.4 Information security management system Personal information management system 4.4 5.3.1 Leadership and commitment Leadership and commitment 5.1 5.3.2 Policy Policy 5.2 5.3.3 Organizational roles, responsibilities and Organizational roles, responsibilities and authorities authorities 5.3 5.4.1 Actions to address risks and opportunities Actions to address risks and opportunities 6.1 5.4.2 Information security objectives and planning to achieve them Embedding the PIMS in the organization's culture 5.4 PIMS objectives and planning to achieve them 6.2 5.5.1 Resources Resources 7.1 5.5.2 Competence Competence 7.2 5.5.3 Awareness Awareness 7.3 bsigroup.com ISO/IEC 27701 clause ISO/IEC 27701 topic BS 10012 topic BS 10012 clause 5.5.3 Awareness Awareness 7.3 5.5.4 Communication Communication 7.4 5.5.5 Documented information Documented information 7.5 5.6.1 Operational planning and control Operational planning and control 8.1 5.6.2 Information security risk assessment Risk assessment and treatment 8.2.3 5.6.3 Information security risk treatment Risk assessment and treatment 8.2.3 5.7.1 Monitoring, measurement, analysis and evaluation Keeping PIMS up to date 8.2.5 Maintenance 8.2.13 Monitoring, measurement, analysis and evaluation 9.1 5.7.2 Internal audit Internal audit 9.2 5.7.3 Management review Management review 9.3 5.8.1 Nonconformity and corrective action Nonconformity and corrective action 10.1 Preventative actions 10.2 Continual improvement 10.3 5.8.2 Continual improvement 3 Privacy Information Management - comparing ISO/IEC 27701 and BS 10012 ISO/IEC 27701 clause 4 ISO/IEC 27701 topic BS 10012 topic BS 10012 clause 6.2.1 Management direction for information security Policy 5.2 6.3.1 Internal organization Embedding the PIMS in the organization's culture 5.4 Key appointments 8.2.1 6.3.2 Mobile devices and teleworking Security issues 8.2.11 6.4.1 Prior to employment Training and awareness 8.2.4 6.4.2 During employment Training and awareness 8.2.4 6.4.3 Termination and change of employment Training and awareness 8.2.4 6.5.1 Responsibility for assets Identifying and recording uses of personal information 8.2.2 6.5.2 Information classification Identifying and recording uses of personal information 8.2.2 6.5.3 Media handling Security issues 8.2.11 6.6.1 Business requirements of access control Security issues 8.2.11 6.6.2 User access management Security issues 8.2.11 6.6.3 User responsibilities Security issues 8.2.11 6.6.4 System and application access control Security issues 8.2.11 6.7.1 Cryptographic controls Security issues 8.2.11 6.8.1 Secure areas Security issues 8.2.11 6.8.2 Equipment Security issues 8.2.11 6.9.1 Operational procedures and responsibilities Operational planning and control 8.1 6.9.2 Protection from malware Security issues 8.2.11 6.9.3 Backup Security issues 8.2.11 6.9.4 Logging and monitoring Security issues 8.2.11 6.9.5 Control of operational software Security issues 8.2.11 6.9.6 Technical vulnerability management Security issues 8.2.11 6.9.7 Information systems audit considerations Internal audit 9.2 6.10.1 Network security management Security issues 8.2.11 bsigroup.com ISO/IEC 27701 clause ISO/IEC 27701 topic BS 10012 topic BS 10012 clause 6.10.2 Information transfer Security issues 8.2.11 6.11.1 Security requirements of information systems Security issues 8.2.11 6.11.2 Security in development and support Security issues processes 8.2.11 6.11.3 Test data Security issues 8.2.11 6.12.1 Information security in supplier relationships Security issues 8.2.11 6.12.2 Supplier service delivery management Security issues 8.2.11 6.13.1 Management of information security Security issues incidents and improvements 8.2.11 6.14.1 Information security continuity Maintenance 8.2.13 6.14.2 Redundancies Maintenance 8.2.13 6.15.1 Compliance with legal and contractual requirements Fair, lawful and transparent processing 8.2.6 6.15.2 Information security reviews Fair, lawful and transparent processing 8.2.6 7.2.1 Identify and document purpose Identifying and recording uses of personal information 8.2.2 8.2.7 Processing for specific legitimate purposes 7.2.2 Identify lawful basis Fair, lawful and transparent processing 8.2.6 7.2.3 Determine when and how consent is Fair, lawful and transparent processing to be obtained 8.2.6 7.2.4 Obtain and record consent Fair, lawful and transparent processing 8.2.6 7.2.5 Privacy impact assessment Actions to address risks and opportunities 6.1 8.2.3 Risk assessment and treatment 7.2.6 Contracts with PII processors Security issues 8.2.11 7.2.7 Joint PII controller Risk assessment and treatment 8.2.3 7.2.8 Records related to processing PII Identifying and recording uses of personal information 8.2.2 7.3.1 Determining and fulfilling obligations Fair, lawful and transparent processing to PII principals Rights of natural persons 8.2.6 Determining information for PII principals 8.2.6 7.3.2 Fair, lawful and transparent processing 8.2.12 5 Privacy Information Management - comparing ISO/IEC 27701 and BS 10012 ISO/IEC 27701 clause ISO/IEC 27701 topic BS 10012 topic 7.3.3 Providing information to PII principals Fair, lawful and transparent processing 8.2.6 7.3.4 Providing mechanism to modify or withdraw consent Fair, lawful and transparent processing 8.2.6 7.3.5 Providing mechanism to object to PII Rights of natural persons processing 8.2.12 7.3.6 Access, correction and/or erasure Accuracy 8.2.9 7.3.7 PII controllers' obligations to inform third parties Rights of natural persons 8.2.12 7.3.8 Providing copy of PII processed Rights of natural persons 8.2.12 7.3.9 Handling requests Rights of natural persons 8.2.12 7.3.10 Automated decision making Rights of natural persons 8.2.12 7.4.1 Limit collection Actions to address risks and opportunities 6.1 Adequate, relevant and in line with data minimization principals 8.2.8 Actions to address risks and opportunities 6.1 Adequate, relevant and in line with data minimization principals 8.2.8 7.4.2 6 Limit processing 7.4.3 Accuracy and quality Accuracy 8.2.9 7.4.4 PII minimization objectives Adequate, relevant and in line with data minimization principals 8.2.8 7.4.5 PII de-identification and deletion at the end of processing Retention and disposal 8.2.10 7.4.6 Temporary files Security issues 8.2.11 7.4.7 Retention Retention and disposal 8.2.10 7.4.8 Disposal Retention and disposal 8.2.10 7.4.9 PII transmission controls Security issues 8.2.11 7.5.1 Identify basis for PII transfer between jurisdictions Security issues 8.2.11 7.5.2 Countries and international organizations to which PII can be transferred Security issues 8.2.11 7.5.3 Records of transfer of PII Security issues 8.2.11 7.5.4 Records of PII disclosure to third parties Security issues 8.2.11 bsigroup.com ISO/IEC 27701 clause ISO/IEC 27701 topic BS 10012 topic BS 10012 clause 8.2.1 Customer agreement Security issues 8.2.11 8.2.2 Organization's purposes Security issues 8.2.11 8.2.3 Marketing and advertising use Security issues 8.2.11 8.2.4 Infringing instruction Security issues 8.2.11 8.2.5 Customer obligations Security issues 8.2.11 8.2.6 Records related to processing PII Security issues 8.2.11 8.3.1 Obligations to PII principals Fair, lawful and transparent processing 8.2.6 8.4.1 Temporary files Retention and disposal 8.2.10 8.4.2 Return, transfer or disposal of PII Retention and disposal 8.2.10 8.4.3 PII transmission controls Security issues 8.2.11 8.5.1 Basis for PII transfer between jurisdictions Security issues 8.2.11 8.5.2 Countries and international organizations to which PII can be transferred Security issues 8.2.11 8.5.3 Records of PII disclosure to third parties Security issues 8.2.11 8.5.4 Notification of PII disclosure requests Security issues 8.2.11 8.5.5 Legally binding PII disclosures Security issues 8.2.11 8.5.6 Disclosures of subcontractors used to process PII Security issues 8.2.11 8.5.7 Engagement of a subcontractor to process PII Security issues 8.2.11 8.5.8 Change of subcontractor to process PII Security issues 8.2.11 Privacy Information Management - comparing ISO/IEC 27701 and BS 10012 Mapping BS 10012:2017 to ISO/IEC 27701 BS 10012 clause ISO/IEC 27701 topic ISO/IEC 27701 clause 4.1 Understanding the organization and its context Understanding the organization and its context 5.2.1 4.2 Understanding the needs and expectations of interested parties Understanding the needs and expectations of interested parties 5.2.2 4.3 Determining the scope of the personal information management system Determining the scope of the information security management system 5.2.3 4.4 Personal information management system Information security management system 5.2.4 5.1 Leadership and commitment Leadership and commitment 5.3.1 5.2 Policy Policy 5.3.2 Management direction for information security 6.2.1 5.3 5.4 6.1 8 BS 10012 topic Organizational roles, responsibilities and authorities Embedding the PIMS in the organization's culture Actions to address risks and opportunities Organizational roles, responsibilities and 5.3.3 authorities Internal organization 6.3.1 Information security objectives and planning to achieve them 5.4.2 Internal organization 6.3.1 Actions to address risks and opportunities 5.4.1 Privacy impact assessment 7.2.5 Limit collection 7.4.1 Limit processing 7.4.2 6.2 PIMS objectives and planning to achieve them Information security objectives and planning to achieve them 5.4.2 7.1 Resources Resources 5.5.1 7.2 Competence Competence 5.5.2 7.3 Awareness Awareness 5.5.3 7.4 Communication Communication 5.5.4 bsigroup.com BS 10012 clause BS 10012 topic ISO/IEC 27701 topic ISO/IEC 27701 clause 7.5 Documented information Documented information 5.5.5 8.1 Operational planning and control Operational planning and control 5.6.1 Operational procedures and responsibilities 6.9.1 8.2.1 8.2.2 8.2.3 8.2.4 Key appointments Identifying and recording uses of personal information Risk assessment and treatment Training and awareness Organizational roles, responsibilities and 5.3.3 authorities Internal organization 6.3.1 Responsibility for assets 6.5.1 Information classification 6.5.2 Identify and document purpose 7.2.1 Records related to processing PII 7.2.8 Information security risk assessment 5.6.2 Information security risk treatment 5.6.3 Privacy impact assessment 7.2.5 Joint PII controller 7.2.7 Prior to employment 6.4.1 During employment 6.4.2 Termination and change of employment 6.4.3 8.2.5 Keeping PIMS up to date Monitoring, measurement, analysis and evaluation 5.7.1 8.2.6 Fair, lawful and transparent processing Compliance with legal and contractual requirements 6.15.1 Information security reviews 6.15.2 Identify lawful basis 7.2.2 Determine when and how consent is to be obtained 7.2.3 Obtain and record consent 7.2.4 Determining and fulfilling obligations to PII principals 7.3.1 Determining information for PII principals 7.3.2 Providing information to PII principals 7.3.3 Providing mechanism to modify or withdraw consent 7.3.4 Obligations to PII principals 8.3.1 Identify and document purpose 7.2.1 8.2.7 Processing for specific legitimate purposes 9 Privacy Information Management - comparing ISO/IEC 27701 and BS 10012 BS 10012 clause 8.2.8 8.2.9 8.2.11 BS 10012 topic Adequate, relevant and in line with data minimization principals Accuracy Security issues bsigroup.com ISO/IEC 27701 topic ISO/IEC 27701 clause Limit collection 7.4.1 Limit processing 7.4.2 PII minimization objectives 7.4.4 Access, correction and/or erasure 7.3.6 Accuracy and quality 7.4.3 Mobile devices and teleworking 6.3.2 Media handling 6.5.3 Business requirements of access control 6.6.1 10 User access management 6.6.2 User responsibilities 6.6.3 System and application access control 6.6.4 Cryptographic controls 6.7.1 Secure areas 6.8.1 Equipment 6.8.2 Protection from malware 6.9.2 Backup 6.9.3 Logging and monitoring 6.9.4 Control of operational software 6.9.5 Technical vulnerability management 6.9.6 Network security management 6.10.1 Information transfer 6.10.2 Security requirements of information systems 6.11.1 Security in development and support processes 6.11.2 Test data 6.11.3 Information security in supplier relationships 6.12.1 Supplier service delivery management 6.12.2 Management of information security incidents and improvements 6.13.1 Contracts with PII processors 7.2.6 Temporary files 7.4.6 PII transmission controls 7.4.9 Identify basis for PII transfer between jurisdictions 7.5.1 Countries and international organizations to which PII can be transferred 7.5.2 Records of transfer of PII 7.5.3 Records of PII disclosure to third parties 7.5.4 Customer agreement 8.2.1 Organization's purposes 8.2.2 bsigroup.com BS 10012 clause 8.2.11 (continued) 8.2.12 8.2.13 BS 10012 topic Security issues (continued) Rights of natural persons Maintenance ISO/IEC 27701 topic ISO/IEC 27701 clause Marketing and advertising use 8.2.3 Infringing instruction 8.2.4 Customer obligations 8.2.5 Records related to processing PII 8.2.6 PII transmission controls 8.4.3 Basis for PII transfer between jurisdictions 8.5.1 Countries and international organizations to which PII can be transferred 8.5.2 Records of PII disclosure to third parties 8.5.3 Notification of PII disclosure requests 8.5.4 Legally binding PII disclosures 8.5.5 Disclosures of subcontractors used to process PII 8.5.6 Engagement of a subcontractor to process PII 8.5.7 Change of subcontractor to process PII 8.5.8 Determining and fulfilling obligations to PII principals 7.3.1 Providing mechanism to object to PII processing 7.3.5 PII controllers' obligations to inform third parties 7.3.7 Providing copy of PII processed 7.3.8 Handling requests 7.3.9 Automated decision making 7.3.10 Monitoring, measurement, analysis and evaluation 5.7.1 Information security continuity 6.14.1 Redundancies 6.14.2 9.1 Monitoring, measurement, analysis and evaluation Monitoring, measurement, analysis and evaluation 5.7.1 9.2 Internal audit Internal audit 5.7.2 Information systems audit considerations 6.9.7 Management review 5.7.3 9.3 Management review 10.1 Nonconformity and corrective action Nonconformity and corrective action 5.8.1 10.2 Preventative actions Nonconformity and corrective action 5.8.1 10.3 Continual improvement Continual improvement 5.8.2 11 Working with over 86,000 clients across 193 countries, BSI is a truly international business with skills and experience across a number of sectors including automotive, aerospace, built environment, food, and healthcare. Through its expertise in Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI improves business performance to help clients grow sustainably, manage risk and ultimately be more resilient. Our products and services Knowledge Assurance Compliance The core of our business centres on the knowledge that we create and impart to our clients. In the standards arena we continue to build our reputation as an expert body, bringing together experts from industry to shape standards at local, regional and international levels. In fact, BSI originally created eight of the world’s top 10 management system standards. Independent assessment of the conformity of a process or product to a particular standard ensures that our clients perform to a high level of excellence. We train our clients in world-class implementation and auditing techniques to ensure they maximize the benefits of standards. To experience real, long-term benefits, our clients need to ensure ongoing compliance to a regulation, market need or standard so that it becomes an embedded habit. We provide a range of services and differentiated management tools which help facilitate this process. Find out more about ISO/IEC 27701 with BSI BSI UK 389 Chiswick High Road London W4 4AL United Kingdom T: +44 345 086 9001 E: [email protected] bsigroup.com Call 0345 080 9000 or visit bsigroup.com/iso27701-UK © 2019 The British Standards Institution. All Rights Reserved. BSI has been at the forefront of information security standards since 1995, having produced the world’s first standard, BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there, addressing the new emerging issues such as privacy, cyber and cloud security. That’s why we’re best placed to help you BSI/UK/1592/SC/0719/EN/GRP Why BSI? Privacy regulation Understanding the role of ISO/IEC 27701 By Kieran McDonagh, Riskscape Law Ltd A white paper Privacy regulation Contents 2 Introduction 3 The European privacy landscape 4 The role of ISO/IEC 27701 4 The benefits of the standard 5 Key concepts 7 Overview of the privacy regulation landscape 10 ePrivacy regulation challenges AdTech business model 11 Competition law challenges for those processing large datasheets 12 Online harm from personal data posted online 12 Implementing privacy and information security standards 13 Privacy governance 13 Conclusion 14 bsigroup.com Introduction The privacy of individuals’ personal data is very topical. An organization must carefully consider how to handle the personal information of customers, employees, visitors and neighbours; for many organizations this is a challenge. The application of the GDPR (General Data Protection Regulation) in May 2018 meant that all organizations, no matter where they were based, now have to comply with the GDPR if they handle the personal data of citizens of the EU. Beyond the EU, at least 132 countries now have a privacy law in place. Organizations that transfer personal data between these countries must take each relevant law into account when considering controls to protect privacy. Implementing and monitoring controls to support compliance with such laws can be a complex challenge. To make this more manageable, having standards in place can give organizations more confidence in the steps they have taken in fulfilling regulatory compliance. Such standards include ISO/IEC 27701 which is an internationally agreed standard that enables organizations to extend their existing ISO/IEC 27001 Information Security Management System (ISMS) to address privacy requirements. This white paper sets out an overview on regulations related to privacy, the role ISO/IEC 27701 can play and what this means for businesses and consumers. The European privacy landscape The personal data of millions of European consumers have been protected by law through the GDPR since 25 May 2018. All organizations, of whatever size, that handle personal data must be compliant with the GDPR, or with a local law that incorporates the GDPR. For example, in the UK this means complying with the Data Protection Act 2018 (DPA 2018). The EU’s Charter of Fundamental Rights, which was given legal power through the Treaty of Lisbon in 2009, includes individuals’ right to privacy. The GDPR is built on this right to privacy, and so requires that privacy must be taken into account when individuals’ personal data is collected, analysed, shared, stored and deleted (collectively ‘processed’). The GDPR includes a series of principles that require the processing of personal data to be: The GDPR sets out the types of controls that must be in place if the privacy of individuals’ personal data is to be protected. When reviewing how personal data is processed, the GDPR requires an assessment of whether such processing represents a high risk to the rights and freedoms of the individuals whose personal data is being processed. This assessment needs to be applied in many different circumstances where personal data is processed. Some organizations have found it difficult to assess these risks and have sought advice and guidance from regulators about how to carry out this assessment. • processed lawfully, fairly and transparently for the individual • collected for specific purposes and not reused for other purposes • minimized in its collection and processing • kept up to date • stored for the shortest time possible • secured against unauthorized processing, and loss, destruction or damage 3 Privacy regulation The role of ISO/IEC 27701 The ISO/IEC 27701 standard extends the ISO/IEC 27001 ISMS to incorporate privacy requirements. Since many organizations already have an ISO/IEC 27001 ISMS, it reduces the complexities around establishing a Privacy Information Management System (PIMS), since the ground has already been laid. Those organizations familiar with ISO/IEC 27001 will be able to extend their ISMS to address privacy and support them in GDPR compliance, as well as other privacy laws, by providing a means to demonstrate commitment to privacy information management. 4 The standard identifies controls that must be in place to allow the management of personal data, or Personally Identifiable Information (PII) to be systematic and transparent. It sets out controls that are required if the organization is acting as a controller or a processor of PII. Controls in the standard cover the entire life cycle of PII collection, analysis, sharing, storage and deletion. The individual, which the PII relates to, is placed at the centre of these controls, just as the GDPR requires. bsigroup.com The benefits of the standard Global consistency Organizations often operate in more than one country and so have many privacy and information security requirements from different jurisdictions. By using an internationally recognized standard, the organization can gather all the requirements together so that only one set of actions is needed to help achieve and maintain compliance. This is particularly important when organizations transfer PII across borders where different laws and control requirements exist on either side of the border. Stakeholder management A standard can also provide a structure to incorporate the additional requirements set by the organization’s stakeholders such as the Board or customer representatives. A standardized approach for privacy and information security compliance, based on a best practice standard, provides a clearly signposted beginning, middle and end to a compliance programme. Meeting the requirments of a standard can be used to support the business case for achieving or maintaining compliance, helping to make the issue tangible for senior management. Strong stakeholder buy-in is an essential element in the success of such a programme. Programme management An organization that insists that any capital expenditure is managed through a formal project can also use a standard as a framework for programme management, incorporating the risk assessment, mitigation and monitoring activities of both change and ‘business as usual’ activities. Programmes often use a formal process for identifying requirements and project objectives that together can add real value. A standard provides a structure for doing precisely this and, when coupled with an internal or external assessment, it provides a tight framework for co-ordinating compliance activities. This helps avoid distractions and digressions on peripheral issues, ensuring a focus on achieving and maintaining compliance. Using a standard as part of a programme management discipline can help different departments, geographies and technical functions to work together on a single transparent set of requirements. This is essential if cross-border data transfers are to be controlled in more than one country. Also, using a project delivery approach means that simple metrics can be used to explain progress to senior management in a way that gives credibility to the work of achieving and maintaining compliance. Providing senior management a simple view of the progress towards privacy and information security compliance is essential for the management of the legal risks associated with new laws such as the GDPR. This is particularly the case as fines for non-compliance can be measured in the millions. Internal education A standard document can also be used to educate nonspecialists in the technical discipline of the standard. It can also help to structure training programmes that provide awareness training across the organization, as well as accredit technical staff as experts in their field. Privacy and information security controls must be successfully implemented and followed by every member of staff, consultants, contractors, visitors and third parties if an organization is to be compliant. Each group needs specific training programmes aligned to their needs to ensure that they are fully aware of their responsibilities and how to operate controls effectively. A standard provides a framework that allows training programmes to be comprehensive, while sharing common messages across different groups. 5 Privacy regulation Assurance Proactive approach A standard can also be used to provide a framework for testing controls and providing assurance on privacy and information security using successful test results. It helps establish requirements that translate into control objectives and can support the identification of particular controls that an organization must have in place to comply with privacy and information security requirements. Tests of the controls can then be planned, carried out and reported to provide assurance to internal and external stakeholders. A standard allows this workflow to be organized systematically and to be managed as a project to meet senior management objectives. No matter how many privacy and information security controls are in place, organizations will still be at risk of experiencing a data breach. Where an organization complies with a standard, but nonetheless suffers a privacy or information security breach, the organization can claim that they suffered the breach despite compliance with a best practice standard. The alternative is that they cannot demonstrate their best endeavours to comply, putting them at risk. Demonstrating the achievement and maintenance of compliance with a recognized standard can help to provide assurance to internal and external stakeholders such as regulators and suppliers throughout the supply chain. Both will insist on assurance from an organization on their compliance with privacy and information security requirements, with suppliers needing this before accepting components or services. This requirement is becoming an increasingly important part of supply chain assurance. A standard provides a baseline of controls that allows both upstream and downstream supply chain partners to understand the risks of sharing information, and allows them to mitigate any residual risks by implementing additional controls over their data transfers. 6 When reporting such a breach to the relevant regulators, being compliant with a recognized standard can provide assurance to the regulators that controls are organized systematically and can be strengthened easily following the breach. Without demonstrating compliance with a standard, organizations may need to do more to convince regulators that they have a mature control environment and that it takes compliance with privacy and information security requirements seriously. Discussions with regulators in these situations can often involve sanctions. The organization can use their compliance with a recognized standard as a mitigating factor in argument against sanctions or fines. As fines under the GDPR can be significant, up to four per cent of annual global turnover, the return on investment on complying with a recognized standard could be very positive. bsigroup.com Key concepts The language of privacy and information security requirements can seem daunting to those new to the field. However, help is available as defining key concepts is central to the work of creating international standards. Some definitions will be widely accepted by practitioners, while others will be disputed, sometimes indefinitely. Nonetheless, standards present an internationally recognized definition of key concepts that practitioners can use in their day-to-day work of implementing controls. ISO/IEC 27701 and associated standards define many of the key concepts that a compliance programme in privacy and information security requires. Some of these key concepts are described below. Definition: Personally Identifiable Information (PII) ISO/IEC 27701:2019 uses the vocabulary common to the suite of ISO 2700x standards that cover information security and associated controls. It uses the term Personally Identifiable Information (PII) to describe the information assets that must be protected and managed when providing security and privacy for a PII principle or individual. PII is defined in section 2.9 of ISO/IEC 29100:2011 as information that can be used, on its own or combined with other linked information, to identify a PII principle or individual. This term is most often used in US Federal Laws such as the Health Insurance Portability and Accountability Act (HIPPA), which helps protect medical records and other personal health information. So, for example, an individual’s IP address is not in itself PII. However, if it is reasonably possible to combine with other linked information, such as names in IP allocation tables, then this becomes PII. Sensitive PII is defined in section 2.26 of ISO/IEC 29100:2011 as PII that contains information related to the most intimate details about a PII principle or individual, or whose impact on the individual, if disclosed, would be significant. Definition: Privacy ‘Privacy’ can be considered as the term that describes the end result of adequate controls over the ‘processing’ of PII. Section 2.22 of ISO/IEC 29100:2011 includes the definition of a privacy stakeholder as a PII principle or individual that can be affected by a decision or activity related to the processing of PII. Privacy can therefore be defined as the prevention of adverse impacts on PII principles or individuals as a result of the processing of PII. The GDPR does not define privacy, but states as its objective in Article 1, as the protection of the fundamental rights and freedoms of individuals with regard to the processing of personal data, and in particular their right to the protection of their personal data. The risk to privacy of PII is defined in section 2.19 of ISO/IEC 29100:2011 as the effect of gaps in information about an event, its likelihood or consequence for the privacy of PII. Privacy controls are defined in section 2.14 of I SO/IEC 29100:2011 as organizational, physical and technical measures that treat privacy risks by reducing their likelihood or consequence. Personal data – EU terminology In the EU, the term ‘personal data’ has been used in the GDPR. ‘Personal data’ is defined in Article 4 as any information relating to an individual that, using reasonable means, allows them to be identified. So, for example, profiling an individual through their IP address, even though their name may not be disclosed, will make this information ‘personal data’. In the EU, special categories of personal data are defined in Article 5 of the GDPR as revealing the most sensitive details about an individual, which might prevent them exercising their rights and freedoms under the Charter of Fundamental Rights of the EU. For example, information about an individual’s racial or ethnic origins, religious beliefs or sexual orientation would be considered a special category of personal data. The GDPR would then require this information be protected using additional privacy controls. 7 Privacy regulation Definition: Information security Privacy is impossible without adequate information security. Adequate information security is necessary for privacy of PII but is not by itself sufficient. Preventing the disclosure, loss or corruption of PII cannot be effective unless the entire life cycle of the PII processing is protected through information security controls. Section 3.28 of ISO/IEC 27000: 2018 defines information security as the end result of adequate controls to preserve the confidentiality, integrity and availability of information. Confidentiality is defined by section 3.10 of ISO/IEC 27000:2018 as a property of information security where information is not disclosed to those unauthorized to receive it. Disclosure could be the result of a deliberate leak of information outside an organization, an accidental disclosure to the wrong person or a deliberate transfer that was based on inaccurate advice and so was an unauthorized disclosure. Integrity is defined by section 3.36 of ISO/IEC 27000:2018 as a property of information security where information retains its accuracy and completeness. Controls should also be in place to update the accuracy and completeness of the information in order to provide assurance about these properties to its users. Availability is defined by section 3.7 of ISO/IEC 27000:2018 as a property of information security where information is made accessible on demand to authorized users. The requirements of users for access to information will vary by the criticality of business process and therefore the sophistication of arrangements required to provide the information under all circumstances will also vary. 8 The GDPR defines a principle of information security for personal data in Article 5. It requires the use of appropriate technical or organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage. Section 3.28 ISO/IEC 29000:2018 notes that other properties of information security, such as authenticity, accountability, non-repudiation and reliability can also be considered part of information security. Most practitioners see these as subproperties of confidentiality, integrity and availability. Definition: Control A control is an activity that provides a means of treating risk. Section 3.14 of ISO/IEC 29000:2018 defines a control objective as a description of what a control is intended to achieve. While section 3.61 defines a control as a measure that modifies risk, and in the case of privacy controls, modifies privacy risk. The GDPR does not define a control or a control objective. Good practice supports the identification of control objectives to address particular privacy risks. One privacy risk might apply to more than one privacy control objective. Each control objective requires the design of a suite of controls – some organizational, some technical – that with effective operation addresses the privacy risk to PII. The privacy controls, as defined in section 2.14 of ISO/IEC 29000:2018, reduce the likelihood or consequences of a privacy risk materializing. Compliance against ISO/IEC 27701 would require each control objective to be defined, and controls designed to meet each of these, so providing a framework of controls that together support the privacy of PII. bsigroup.com Definition: Testing Testing is the activity of assessing the effectiveness of the design of a control or its operation. Without adequate testing, it’s impossible to accurately assess whether the control is suitable to achieve the control objective. Similarly, without adequate testing of the operation of the control, it’s impossible to accurately assess whether the control is effective in treating risk. Good practice in testing requires a test plan to be created in advance. This plan should set out: • the control objectives • the characteristics of the control design that will be tested • the criteria against which the design will be assessed • sample sizes for the output of the control in operation • threshold acceptance levels that demonstrate effective operation • reporting lines for acceptable and unacceptable testing results The testing of privacy controls should consider the central use cases as set out in the analysis of the business process that handles PII. However, no business process works perfectly in all situations, and so testing must also consider use cases where business processes are operated incorrectly or are disrupted by internal or external agents for malicious reasons. Only when the full suite of use cases has been tested successfully can the privacy risk be considered to be under control. External sources of information can contribute to the risks to the privacy of PII. For example, the principle of minimization can mean that organizations collect very little PII. However, no matter how little PII is collected, when combined with other sources of data, it can allow individuals to be identified and their privacy placed at risk. Testing of privacy risks should also consider scenarios where external sources of data are combined to identify an individual. A celebrated example of this is when a journalist managed to combine different sources of data to allow them to successfully apply for a passport in the name of the Information Commissioner. Compliance to ISO/IEC 27701 would require an organization to demonstrate that risks to the privacy of the PII that it handles had been assessed, controls put in place and controls shown to be operating effectively through a comprehensive framework of control testing. Testing would therefore be central to this process. 9 Privacy regulation Overview of the global privacy regulation landscape The key source of information on applying the GDPR is the European Data Protection Board (EDPB). It issues guidance on various topics, such as carrying out Data Protection Impact Assessments, which is available online (https://edpb.europa.eu/ guidelines-relevant-controllers-and-processors_en). of how to implement the GDPR in some of the most complex circumstances. These cases are reported online (https://eur-lex. europa.eu/homepage.html?locale=en). The EDPB took on the role of its predecessor organization, the Article 29 Working Group, which had been created by the Data Protection Directive 95/46/EC that was incorporated into UK law as the Data Protection Act 1998. When the EDPB was formed, it adopted all of the guidance published since 1997 covering topics such as employee monitoring and breach notification. All of this guidance is available online (https:// ec.europa.eu/justice/article-29/documentation/index_en.htm). The GDPR covers the personal data of European citizens, no matter where their data is processed, and has therefore set a high standard for organizations all over the world. Other countries, when considering how to revise their own data protection laws, have looked to the GDPR as an up to date model for data protection in the age of global social media. Brazil has introduced a new data protection law (LGPD) that comes into force in 2020 which adopts many of the principles of the GDPR. In addition, the new California Consumer Privacy Act (CCPA), which also comes into force in 2020, adopts some of the concepts of the GDPR. Legislators in Washington DC have been negotiating to introduce a federal data privacy law that may pre-empt the CCPA, and their efforts have centred on achieving similar protections to those in the GDPR. Being compliant with the GDPR therefore means less effort is required to comply with international laws. When reviewing an area it believes needs guidance, the EDPB works to establish a consensus between each of the Data Protection Authorities (DPAs) throughout the EU, such as the UK’s Information Commissioner’s Office (ICO) (www.ico.org.uk) and France’s Commission Nationale de l’Informatique et des Libertés (CNIL). DPAs are responsible for registering organizations that control the processing of personal data, providing advice to organizations and to individuals, responding to complaints from individuals and investigating and fining organizations that have experienced a data breach. The DPA will also prosecute organizations if they believe that their processing of personal data is not compliant with the GDPR. While there is still ambiguity over how to comply with some aspects of the GDPR, instances where a DPA prosecutes an organization for non-compliance will provide a useful indication about how the DPA and the courts expect organizations to comply with the law. Where a case is appealed to the European Court of Justice, the EU’s supreme court, the judgements can be considered definitive. These cases tend to offer an indication 10 The global impact of GDPR Other European privacy laws The GDPR was created at the same time as two parallel laws, Regulation (EU) 2018/1725, that require good data protection practices in EU institutions, and the specific data protection Directive (680/2016) that requires good data protection practices in EU law enforcement bodies. The Regulation (EU) 2018/1725 came into effect for EU institutions on 11 December 2018, while the Directive came into effect in each jurisdiction through local enabling laws. It was incorporated into the UK’s DPA 2018, which came into effect on 23 May 2018. A copy is available online (http://www.legislation.gov.uk/ukpga/2018/12/ contents). bsigroup.com ePrivacy regulation challenges AdTech business model In addition to the GDPR and the Directive, the EU is creating a new law to update the Privacy and Electronic Communications Directive 2002 (2002/58/EC) or the ePrivacy Directive. The Directive was given legal force in the UK through the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) and became known as the ‘cookie law’. When introduced, the ‘cookie’ law required Internet sites to ask permission from users to place cookies on their computers. However, the law was not clear how this might work. Companies were concerned that in order to establish whether a user had previously opted out of having cookies placed on their computer, they would have to had already placed a cookie which could then inform the company about the user’s preferences. The law also was unclear about whether a user had to opt-in to having cookies placed on each visit to a website, or just the first visit. As a result of this confusion, the law was interpreted widely, and many sites failed to comply with the spirit of the law. The revision of the ePrivacy Directive is intended to respond to the changes in the processing of personal data on the Internet since the previous law in 2002, and to align requirements with the GDPR. This new law will be a regulation, just like the GDPR, and so will be uniformly applicable across the EU. The latest draft of the Regulation (13 March 2019) makes the processing of any personal data as part of electronic ‘interpersonal communication’ subject to privacy controls similar to the GDPR. The processing of metadata has also been considered during the drafting of the Regulation. Whether the metadata associated with the processing of personal data online is also classified as personal data is an issue that has not yet been settled, but case law seems to be pushing towards this outcome. This would mean that metadata would also need to be protected by similar privacy controls to those for personal data. The need to warn website visitors about the use of cookies to record activity on a site was the most public aspect of the original Directive. This requirement to warn visitors on every visit is one that some hoped might be discarded in the new Regulation. The latest draft seeks to reduce the workload on visitors by allowing generic opt-in or opt-out to cookies within the browser settings. However, consent will still be required in most situations, and the level of consent is expected to meet that of the GDPR and so be ‘freely given, specific, informed and unambiguous’. Websites will also have to inform visitors how their personal data will be processed and to which third parties it will be transferred. Some websites have already begun to structure their cookie consent banners to reflect this GDPR requirement, but the ICO has already highlighted that the majority of websites are not yet compliant with the GDPR. For some organizations, the need to restrict processing, inform customers and secure consent will be a challenge. Where this challenge cannot be met, some organizations will have to change their business models. The ICO has warned organizations of this risk in its June 2019 publication on AdTech (https://ico.org.uk/media/about-the-ico/documents/2615156/ adtech-real-time-bidding-report-201906.pdf). The ePrivacy Regulation is expected to be finalized later in 2019 or 2020 and become law automatically in all EU states within 24 months. Other countries, in the European Economic Area (Norway, Liechtenstein and Switzerland) would negotiate a timetable for the Regulation to apply to their countries. Third countries would have to negotiate bilaterally and reflect the requirements of the ePrivacy Regulation in local law, such as where certain country organizations wish to process the personal data of EU citizens online. 11 Privacy regulation Competition law challenges for those processing large datasheets Those organizations that process large amounts of personal data are discovering that their processing may also infringe competition law. other organizations also gathering such market research data, reducing competition in the market, the social media platform could be subject to competition law scrutiny. Competition law is designed to prevent a dominant market position being used to reduce competition from other organizations in the same market. Where organizations, such as social media platforms, process the personal data of large numbers of individuals, they might be considered to have a dominant position in the market for gathering market research data, and providing display advertising. New competitors might struggle to compete against an existing social media platform as the new company will not have the benefit of millions of existing customers and their Internet data. Where this dominant position is considered to prevent In the EU, the Commission’s Competition Directorate tends to look at the market share of particular organizations in specific markets to determine whether there is a risk to competition in the market. Where competition law finds a dominant position in the market for market research data, sanctions can include fines for anti-competitive behaviour, divestment of subsidiaries or breakup of dominant groups. The European Commission is actively considering how new regulations might help to ensure that social media platforms do not reduce competition from other companies. Online harm from personal data posted online Where users post their own material online, in the so-called Web 2.0, this material can be considered personal data. Not only does a hosting site have to protect the privacy of this data, but it must also consider whether hosting this user-generated material will lead to harm to third parties. Calls have grown in a number of countries for social media platforms to be regulated like publishers of individuals’ posts rather than merely as technology companies providing the platform’s underlying technology. In New Zealand, the Harmful Digital Communications Act 2015 requires hosts of user-generated material to delete online material if served with a complaint about specific content, even if the complaint is ignored by its author. In April 2019, the UK Government published a white paper that proposed placing a ‘duty of care’ on hosts of user-generated material (https://assets.publishing.service.gov.uk/government/uploads/ system/uploads/attachment_data/file/793360/Online_Harms_ 12 White_Paper.pdf). If made law, it would require posts that are considered to contain material that is harmful to children or vulnerable people, to be removed within a strict time frame. Ireland is considering a similar law. Calls have been made in the US for social media platforms to take more responsibility for the user-generated material they host. The US Congress has taken this issue sufficiently seriously to ask the social media platforms to testify about how they deal with online harms. There appears to be a drift of the law towards seeing the hosts of user-generated material as publishers rather than technologists. This change in status would have significant implications for all online hosting platforms, not just the major social media platforms. Any organization that hosts usergenerated material may have to build new business processes to scrutinize posts and promptly delete those considered to be harmful. bsigroup.com Implementing privacy and information security standards Standards can help to provide a baseline of control objectives for organizations that are seeking to comply with privacy and information security laws and regulations. Where multiple laws must be complied with, a single standard can be used to accommodate each set of legal requirements into a single structure that an organization can use as a focus for its compliance efforts. Implementing standards allows an organization to demonstrate to regulators, suppliers and customers that it not only has privacy and information security controls in place, but that senior management takes these issues seriously. The challenge of GDPR certification The EDPB published guidance in June 2019 (https://edpb. europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_ v2.0_codesofconduct_en.pdf) on the requirements for new certification schemes that will allow organizations to demonstrate compliance with the GDPR. In the future, certification schemes are likely to be developed that cover aspects of GDPR compliance such as Data Subject Access Requests, Complaints Processes, Privacy by design and Communications with Data Subjects. There are currently no certification schemes that cover all aspects of the GDPR. The EDPB has noted that certification schemes that cover only some GDPR controls can help organizations demonstrate their overall compliance with GDPR. A mosaic of certification schemes is therefore expected to form the basis of GDPR certification for most organizations for the foreseeable future. Privacy governance Good business governance is important to help organizations respond to changing environments, and there are different types of standards available to support. For example, management system standards help organizations to manage risk and improve performance across a range of areas from quality management and health and safety to privacy and information security. The benefits of a management systems approach Complying with any standard for a business process or product helps an organization develop in a specific discipline. However, implementing a management systems standard requires a much more robust approach that impacts all functions across the organization. If the management systems standard is going to be effective, it must be embedded into the existing management of the organization. A management systems standard is focused on making compliance with the standard robust at any point in time and sustainable in the longer term. This type of standard makes the management of the organization as a whole much more systematic and transparent. Compliance against the standard demonstrates that the organization takes its management responsibilities seriously. Leadership engagement A key feature of a management systems standard is the requirement for the organization’s senior management to be involved. This can bring significant management attention to issues, such as privacy and information security, and help to raise the profile of the issues within senior management teams. It can also support future conversations about the need for further investment and attention. For most organizations, the progress towards compliance is an everlasting one, and so following against an international standard provides ongoing focus for a programme that can lose focus after the initial burst of energy. Integration efficiencies Any management systems standard is also designed to be shared in a modular way, so that the effort of adding a new management systems standard to an organization is minimized. Once an organization has embedded a single management standard, say for quality, the extra effort required to add an additional management standard, say for privacy and information security, is much less than that for the initial standard. Any organization that seeks to comply with privacy and information security requirements through a management systems standard is therefore investing in the robustness and sustainability of their organization in a way that allows other technical areas such as safety, or quality to be addressed in the future. 13 Privacy regulation Conclusion This white paper has explored the privacy regulation landscape. It has not only demonstrated a number of differences and similarities globally, but highlights the importance of specific regulatory requirements such as the ePrivacy Directive. It requires jurisdictional differences to be considered and encourages senior management to take privacy seriously. This is of critical importance when new regulations are coming into place, and the impacts can affect the bottom line. All regulations have positive intentions to support an individual’s privacy rights, and the foundation set by GDPR has given a springboard for other countries and states around the world. There are of course nuances between these that can create a challenge for organizations, however that is where international standards can offer support. It is also essential to recognize that the regulatory landscape is complex, ever changing and needs to be regularly reviewed. By adopting a management system approach, organizations are encouraged to continually monitor and assess performance in light of the business environment in which they operate; and ISO/IEC 27701 is a great example of organizations, governmental bodies and academics bringing their knowledge together to provide a governance framework that can support this. ISO/IEC 27701 is a great example of a management systems standard that encourages organizations to put governance around their personally identifiable information activities. Author Kieran McDonagh, Riskscape Law Ltd Kieran McDonagh is an experienced data protection and cyber security professional. He has used international standards to audit, risk assess and remediate controls in data protection, cyber security, business resilience and supply chain risk management. He has led regulatory Reviewers This white paper was peer reviewed by: Geoffrey Goodell, Senior Research Associate, UCL CBT, UCL Computer Science. One peer reviewer elected to remain anonymous 14 compliance projects for BNP Paribas, BP and Centrica, and he is currently a member of the BSI committee developing the international standard ISO 31700 – Privacy by Design. He has masters’ degrees in cyber security, management science and law. Disclaimer This white paper is issued for information only. It does not constitute an official or agreed position of BSI Standards Ltd. The views expressed are entirely those of the authors. All rights reserved. Copyright subsists in all BSI publications including, but not limited to, this white paper. Except as permitted under the Copyright, Designs and Patents Act 1988, no extract may be reproduced, stored in a retrieval system or transmitted in any form or by any means – electronic, photocopying, recording or otherwise – without prior written permission from BSI. While every care has been taken in developing and compiling this publication, BSI accepts no liability for any loss or damage caused, arising directly or indirectly in connection with reliance on its contents except to the extent that such liability may not be excluded in law. Buy your copy of ISO/IEC 27701 now at: shop.bsigroup.com/bsisoiec27701 Privacy regulation Why BSI? BSI has been at the forefront of information security standards since 1995, having produced the world’s first standard, BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there, addressing the new emerging issues such as privacy, cyber and cloud security. That’s why we’re best placed to help you Working with over 86,000 clients across 193 countries, BSI is a truly international business with skills and experience across a number of sectors including automotive, aerospace, built environment, food, and healthcare. Through its expertise in Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI improves business performance to help clients grow sustainably, manage risk and ultimately be more resilient. Knowledge Assurance Compliance The core of our business centres on the knowledge that we create and impart to our clients. In the standards arena we continue to build our reputation as an expert body, bringing together experts from industry to shape standards at local, regional and international levels. In fact, BSI originally created eight of the world’s top 10 management system standards. Independent assessment of the conformity of a process or product to a particular standard ensures that our clients perform to a high level of excellence. We train our clients in world-class implementation and auditing techniques to ensure they maximize the benefits of standards. To experience real, long-term benefits, our clients need to ensure ongoing compliance to a regulation, market need or standard so that it becomes an embedded habit. We provide a range of services and differentiated management tools which help facilitate this process. BSI 389 Chiswick High Road London W4 4AL United Kingdom T: +44 345 086 9001 E: [email protected] bsigroup.com Find out more about ISO/IEC 27701 with BSI Call 0345 080 9000 or visit bsigroup.com/iso27701-UK © 2019 The British Standards Institution. All Rights Reserved. Our products and services