GDPR AND ISO 27701

General Data Protection Regulation is Europe’s data privacy and security law that imposes obligations onto organizations anywhere in the world, so long as they target or collect data related to persons in the European Union (EU).

“The right to Privacy”

Legal definition: The right of a person to be free from intrusion into or publicity concerning matters of a personal nature.

Due to the growth of the internet and need for privacy in the late 90s Europe’s data protection authority declared the EU needed “a comprehensive approach on personal data protection”.

Do you understand why it is important? Let’s look at a few of the Data Protection Principles.

Lawfulness, fairness, and transparency

We’ve all at one point had an awkward feeling that a site is invading privacy by asking too much of our personal information, right?  To make it worse, no transparency or a clear justification as to why and how the data will benefit you in getting the best experience from the service Huh!

“Processing must be lawful, fair, and transparent to the data subject (Yourself).”

Purpose limitation

How sure that the data you provided will solely be used as justified by the Data Controller or Processor??

I am certain you’ve received messages asking you to participate in a competition such as LUCKBOX which you didn’t subscribe to.

Data minimization

Do you know that an organization should only collect necessary data form you?

Accountability

Would your favorite online shopping platform or even the social media platform take responsibility for your leaked out information?

“Accountability breeds response-ability.  

― Stephen R. Covey

Think about it this way, you have the power over your data😊

ISO 27701 is internal stand that specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS).

An organization wishing to implement and operate a Privacy Information Management System must have an Information Security Management System in place as PIMS extends ISMS.

ISO 27001 is an Information Security Management System that provides guidance for implementing, maintaining, and continually improving an Information Security Management System (ISMS).

ISO 27701:2019 (PIMS) contains Annex D that gives an indicative mapping between PIMS and Articles 5 to 49 with an exclusion of Article 43 that focuses on Certification bodies.

However, it is purely indicative that organizations have the responsibility to assess their legal obligations and decide how to comply with them.