A Call for Global Privacy Framework

With the increasing number of unwanted cases of personal data breaches globally, the call for an acceptable global privacy framework has become and is becoming a priority. Europe responded by implementing the European Union General Data Protection Regulation; similarly, in Asia, the rise of Personal Data Protection and Privacy Legislation acts were revisited and reinforced in their own countries. In 2020, Singapore amended the Personal Data Protection Act of 2012. Today, Malaysia is in the last stage of amending its Personal Data Protection Act of 2014, the Philippines has a pending proposal to amend its Data Privacy Act of 2012, Indonesia passed their country’s Personal Data Protection Law in 2022, and India passed their Digital Personal Data Protection Bill last Aug 2023.

While legislations are developed and enhanced simultaneously throughout the globe, organisations need to establish a common privacy framework that institutions can embrace globally to facilitate a standard understanding of privacy safeguarding requirements.

In 2011, the ISO/IEC 29100 Privacy Framework was published.
The privacy framework defines basic privacy terminologies, defines actors and their roles in processing Personal Identifiable Information (PII), describes privacy safeguarding requirements, and outlines known privacy principles (11 privacy principles).

Due to the increasing number of IT system applications and technologies that process PII, the need for international information security standards to provide a common understanding for protecting PII and safeguarding privacy requirements has become a priority. Thus, ISO/IEC 27701:2019 Privacy Information Management System (PIMS) was developed and published in Aug 2019.

WHAT IS ISO/IEC 27701 PIMS?

• ISO/IEC 27701 specifies requirements and guides for establishing, implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 Information Security Management System (ISMS) and ISO/IEC 27002 for privacy management within the context of the organisation.
• ISO/IEC 27701 sets a standard for information security focused on preserving and safeguarding the organisation’s confidentiality, integrity, and availability of sensitive information. This standard is an extension of ISO/IEC 27001, focused on protecting the privacy of individuals as potentially affected by the processing of PII, in addition to information security.
• ISO/IEC 27701 specifies PIMS-related requirements and guides PII controllers and PII processors holding responsibility and accountability for PII processing.

This unique standard outlines two sets of requirements, which are management system requirements (clauses 4 to 10) and information security and privacy controls (ISO/IEC 27001 Annex A controls and ISO/IEC 27701 Annex A and Annex B controls) and guidelines – a guide for implementing PIMS-specific controls related to ISO/IEC 27001 Annex A controls, and Privacy controls for PII controller and PII processor (ISO/IEC 27701 Annex A and Annex B controls).

ISO/IEC 27701 requirements are divided into the four groups listed below:

• PIMS requirements related to ISO/IEC 27001 are outlined in clause 5.
• PIMS guidance related to ISO/IEC 27002 is outlined in clause 6.
• PIMS guidance for PII Controllers is outlined in clause 7.
• PIMS guidance for PII Processors is outlined in clause 8.

Comparable to the ISO/IEC 27001 standard structure, applicable controls for PII Controllers and/or PII Processors are outlined in the main body of the standard as follows:

• Annex A – PIMS reference Control objectives and Controls for PII Controllers
• Annex B – PIMS reference Control objectives and Controls for PII Processors

ISO/IEC 27701 also provides relevant annexes that can show how compliance with the requirements of PIMS controls relates to the general privacy principles specified in ISO/IEC 29100, as well as how the requirements of PIMS controls can be relevant to fulfill obligations of GDPR. The relevant annexes are listed below:

• Annex C maps ISO/IEC 27701 controls against ISO 29100 Privacy Framework
• Annex D maps ISO/IEC 27701 controls against GDPR Articles
• Annex E maps ISO/IEC 27018 (Code of Practice for protecting PII in the public cloud) and ISO 29151 (Code of Practice for PII protection)
• Annex F provides guidance for applying ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002

IMPLEMENTING ISO/IEC 27701

Here is a quick guide on requirements for implementing ISO/IEC 27701:

1. Organisations with existing certification to ISO/IEC 27001 should start at Annex F to understand how the application of PIMS fits into their existing ISO/IEC 27001 ISMS.

2. Organisations without existing certification to ISO/IEC 27001 should examine both the ISO/IEC 27001 requirements and the additional requirements of ISO/IEC 27701 to ensure conformity to ISMS and PIMS requirements.

3. Clauses 5 to 8 within PIMS extend the ISO/IEC 27001 requirements to incorporate PII considerations. The additional requirements are the following:

• Determine its role as a PII controller (including as a joint PII controller) and/or as a PII processor.
• Establish PIMS/Privacy Policy and Objectives.
• Build competence of PIMS team.
• Build staff awareness of PIMS policy and how they can contribute to establishing and improving the PIMS.
• Apply privacy risk assessment process to identify risks related to processing PII within the scope of the PIMS. Organisations can implement an integrated information security and privacy risk assessment process or two separate processes for information security and the risks related to the processing of PII.
• Produce a Statement of Applicability for ISO PIMS in accordance with the PII processing role. ISO/IEC 27701 Annex A Controls for PII Controller and/or Annex B for PII Processor. Organisations can create a combined ISMS-PIMS SoA to include PIMS controls in the existing ISO/IEC 27001 SoA.
• Develop and implement treatment action plans to address privacy risks.
• Monitor PIMS performance and analyse PIMS effectiveness.
• Conduct an Internal Audit and Management review of the PIMS. Organisations can conduct combined ISMS-PIMS Internal Audit and Management Review.

4. From the ISO/IEC 27001 Annex A controls, 37 controls are enhanced. These are the additional PIMS controls to protect PII processing:

• Appoint a qualified Data Protection Officer (DPO).
• Use of cryptography to protect PII data the organisations are processing.
• Establish responsibilities and procedures for the identification and recording of breaches of PII in accordance with the country-specific privacy legislation.
• Processing of PII should be designed following “Privacy by design and privacy by default” principles.
• Identify potential legal sanctions and substantial fines to local authorities (i.e., GDPR, PDPA, etc.).

5. PIMS has 31 new controls for the PII Controller and 18 new controls for the PII Processor that are to be implemented depending on the PII processing role of the organisation. The high-level PIMS controls and the corresponding control objectives are listed below:

• Conditions for collection and processing
• Control objective: To determine and document that processing is lawful, with legal basis as per applicable jurisdictions, and with clearly defined and legitimate purposes.
• Obligations to PII Principals
  • Control objective: To ensure that PII principals are provided with appropriate information about the processing of their PII and to meet any other applicable obligations to PII principals related to the processing of their PII.
• Privacy by Design and Privacy by Default
  • Control objective: To ensure that processes and systems are designed such that the collection and processing (including use, disclosure, retention, transmission, and disposal) are limited to what is necessary for the identified purpose.
• PII Sharing, transfer, and disclosure.
  • Control objective: To determine whether and document when PII is shared, transferred to other jurisdictions or third parties and/or disclosed in accordance with applicable obligations.

BENEFITS OF ADOPTING ISO/IEC 27701

ISO/IEC 27701 is the first certifiable privacy standard worldwide, applicable to public and private companies, government entities, and not-for-profit organisations. It also supports compliance with the EU’s GDPR and applicable personal data governance laws in all other geographies.

By adopting a global best-practice privacy framework, organisations can achieve the following:

• Demonstrate commitment to comply with relevant data protection and privacy laws.
• Clarify the organisation’s roles and responsibilities in processing PII.
• Gain customer trust that PII is managed correctly and complies with data privacy law.
• Gain a competitive edge – ISO/IEC 27701 certification demonstrates strong Information security governance and industry-standard data protection and data privacy practices.
• Minimise PII-related risk by implementing a risk management process to manage emerging information security and privacy threats.
• Enhance business relationships with interested parties by ensuring data transfer is in accordance with the same globally accepted information security and privacy standards.

TÜV SÜD's ISO 27701 certification services provide the best option to organisations aiming to obtain an ISO 27701 certification. Our Awareness Training, Implementer Training, and Internal Auditor Training train an organisation’s employees about the needs and requirements of a PIMS, helps in its implementation and even train personnel on the process of conducting internal audits.