ISO 27701 is the privacy extension to the globally recognised information security management system standard, ISO/IEC 27001. It provides guidance on privacy information management and enables organisations to demonstrate how they are meeting General Data Protection Regulations (GDPR). The standard provides a framework for the processing of personally identifiable information (PII) and helps PII controllers and processors respond to clients’ privacy requirements.
Rob Acker, Technical Manager at LRQA explained, “While ISO/IEC 27701 is an extension of ISO/IEC 27001, it is important to view it as enhanced risk management rather than just additional controls. Although ISO/IEC 27001 is a good starting point, extending an information security management system to incorporate privacy strengthens the scope.”
According to the EY Global Consumer Privacy Survey 2020, 63 per cent of consumers consider an organisation's data collection and storage practices to be the most important factor when they share sensitive information with the organisation.
Acker continued: “PII processing is undertaken in some way within all organisations but the data volume and type is increasing and evolving with the digital economy. As such, mitigating risks associated with information processing is critical. It is especially important given that a data breach can be far reaching and extremely damaging for an organisation’s brand.”
Working with experienced auditors, organisations will be challenged on how PII is being handled and whether adequate processes are in place.
“Trust is critical when interacting with customers, so providing them with a reason to trust an organisation with their personal information is key,” Acker outlined. “It is critical that PII controllers and processors understand their roles and responsibilities to ensure everyone knows who is accountable. As we move to more of a service economy, partnerships throughout the supply chain will become fundamental to this, which means cooperation between organisations is necessary.”