In 2016, the General Data Protection Regulation (GDPR) introduced a new era in data protection regulations in the European Union. After a few years, several data protection regulations modeled on the GDPR have been established. In our rapidly developing, digital society, it is becoming increasingly difficult to exercise control over our personal data. The requirements set by the regulation emphasize the responsibility of those who handle data. As a result, organizations need to introduce various procedures to comply with the growing and demanding regulations.
An information security management system (ISO 27001) provides a suitable starting point for complying with the requirements of the General Data Protection Regulation; and to enable these two topics to work together in a more coordinated manner, a new standard may provide the solution. This standard, which formulates requirements aimed at ensuring the security of personal data, may also serve as the basis for the GDPR certification mechanism.
Maintaining multiple management systems within an organization is not particularly challenging due to the unified structure and integrability; and with this standard, it is hoped that the internal procedures necessary to comply with the regulation can be more easily integrated into the already established and well-functioning Information Security Management System (ISMS).
PIMS – Privacy Information Management System
This standard is none other than ISO/IEC 27701:2019, which includes the practical requirements for creating and maintaining a privacy information management system (PIMS) as an extension of the ISMS, for the protection of personal data.
The PIMS can be applied by data controllers and processors regardless of their organizational activity, form, or size. It specifies requirements and serves as a guide for the creation, implementation, maintenance, and continuous improvement of a privacy management system.
It assists organizations in managing risks related to personal data using a risk-based approach. Another advantage of PIMS is that it harmonizes concepts and definitions in addition to aligning requirements.
Personally identifiable information (PII)
PII, or Personally Identifiable Information, refers to any specific data that can be used to identify an individual. This data can be used to uniquely identify individuals either on its own or in combination with other data. The PIMS, therefore, sets requirements for the handling and processing of this data.
Main requirements
The ISO/IEC 27001:2013 standard A. provides specific requirements for both Data Controllers and Data Processors, which must also be included in the applicability statement. The main requirements for Data Controllers and Processors are:
- Security: Implement physical, logical and administrative procedures and controls to manage PII..
- Confidentiality and integrity: Obligation of confidentiality for those authorized to access personal data and ensuring the integrity of the data.
- Risk management: Identification of risks associated with processing and handling of PII, and conducting impact assessments for new processes.
- Roles and responsibilities: Determining responsible individuals for the development, execution, monitoring, and maintenance of the PIMS program.
- Training: Increasing the data protection awareness of personnel involved in handling PII.
- Incident management: Introduction of processes and development of procedures for detecting, handling, and documenting potential incidents.
- Record keeping: Documentation and continuous maintenance of data processing activities, including data transmission and disclosure.
- Data transmission: Ensuring appropriate procedures and guarantees during the transmission of PII.
Data controller specific requirements:
- Information: Development and availability of detailed data protection guidelines and information for individuals on the collection, use, and processing of PII.
- Ensuring rights: Implementation of procedures that enable individuals affected by data processing to exercise their rights over their own data (e.g. deletion, access).
- Contractual requirements: Written contracts with PII processors, which, among other things, stipulate the protection of personal data, specific purposes for processing, and incident notification.
- Data minimization and purpose limitation: Data processing may only be carried out on relevant, proportionate, and necessary PII to achieve the intended purpose.
Data processor-specific requirements:
- Restriction of Processing: Processing of PII can only be carried out in accordance with the documented instructions of the data controller.
- Involvement of Subcontractors: The data processor authorizes additional data processors (sub-data processors) in writing, in accordance with contractual agreements, to process PII and ensures proper oversight.
- Illegal Instructions: Any instructions given by the data controller that violate applicable laws and regulations must be communicated to the contracted partner.
- Support: The data controller provides support in ensuring and managing the rights of individuals affected by the processing of PII.
Who can the standard be applied to?
In practice, it can be applied to anyone who holds an Information Security Management System certificate or operates an equivalent management system and processes personal data within their organization. There are no restrictions based on the organization’s size, shape, or type of activity, as the requirements are flexible and adaptable to all organizations. Whether it is a government agency, a private company, or a nonprofit organization, the standard can be implemented.
What are the benefits of implementation?
- Objective demonstration of the organization’s commitment to secure handling of personal data, which builds trust with customers and employees alike.
- An advantage when competing in tenders and standing out from competitors.
- Provides evidence and transparency during third-party audits or contractual negotiations.
- Supports compliance with GDPR and other applicable data protection regulations.
- Clarifies roles and responsibilities within the organization.
Main steps of implementation / certification
- Assessing and determining the applicability of the PIMS (applicability statement).
- Identifying key stakeholders involved in applying the requirements.
- Introducing an appropriate risk assessment and management process and aligning it with existing processes.
- Developing and implementing a training and awareness-raising program.
- Developing PIMS-specific procedures, processes, and rules or extending existing ISMS documents, such as incident management.
- Ensuring the lawful handling of personal data.
- Conducting Privacy Impact Assessments (PIAs).
- Developing procedures for the secure handling, transmission, storage, and destruction of PII.
- Designing, operating, and maintaining ongoing sustainability (planning, verification, corrective actions).
Although the implementation of the standard alone does not replace the full compliance with the GDPR requirements, it can greatly contribute to achieving compliance. It provides assistance in the continuous and sustainable operation of the framework. In accordance with the principle of accountability, the introduction of this framework provides appropriate evidence and guarantees to prove compliance. Personal data, or PII, is present in every organization, even during a development process, so ensuring the security of data should be everyone’s responsibility.
If you need assistance in developing data privacy compliance or verifying your service/product, we are here to help your business. Please feel free to contact us through one of our available communication channels.