The field of data privacy is complex and constantly changing. Every year there are new and updated privacy regulations that are sector-specific, country-specific, and, increasingly in the United States, state-specific. Sifting through guidance from data protection authorities, law firms, the IAPP, etc., on how to interpret these regulations and what your organization should do to ensure compliance, can be a daunting task. Managing a data privacy program can be overwhelming. It is not for the faint of heart. To implement a meaningful data privacy program, a foundational structure should be in place that, regardless of new and updated privacy regulations, enables an organization, with minimal effort, to update its data protection processes.
ISO/IEC 27701:2019 is an extension to the well-regarded ISO/IEC 27001:2013 Information Security Management System (ISMS) standard and specifies how organizations that process personally identifiable information (PII) can design, implement, maintain, and continuously improve a Privacy Information Security Management System (PIMS). The PIMS described in ISO/IEC 27701 is a foundational structure upon which an organization can build a privacy program that is specific to the context in which it operates. The focus of this article is how an organization can use ISO/IEC 27701 to design a privacy program, and includes five initial steps to kick-start that process.
The first step is to have a person or team responsible for the privacy program. As with any organizational program, a meaningful privacy program requires ownership and accountability. This person or team needs to understand basic data privacy best practices and be empowered with the authority to implement these practices within the organization. Guidance from ISO/IEC 27701 comes from Clause 6.3.1.1, which contains privacy-specific guidance for roles and responsibilities.
This person or team, according to Clause 6.3.1.1, should be responsible for designing, implementing, maintaining, and monitoring the privacy program to ensure the organization is compliant with applicable privacy regulations.
Clause 6.3.1.1 also provides the following qualities that should be considered when creating this position or team:
- Be independent and report directly to the appropriate management level of the organization in order to ensure effective management of privacy risks
- Be involved in the management of all issues which relate to the processing of PII
- Be an expert in data protection legislation, regulation, and practice
- Act as a contact point for supervisory authorities
- Inform top-level management and employees of the organization of their obligations with respect to the processing of PII
- Provide advice in respect of privacy impact assessments conducted by the organization
Additional requirements may be necessary, depending on applicable data privacy regulations. For the remainder of this article, I refer to the privacy team implementing the initial second to the fifth step.
Having tasked a team with responsibility for the data privacy program, the second initial step is to determine the data privacy context in which the organization operates. Organizational context provides clarity and focuses on an organization’s PII processing role(s) and the data privacy regulatory requirements applicable to the organization.
The privacy team should create a list of the PII processing activities conducted by the organization. For each processing activity, the privacy team should list the countries in which the data subjects (ISO refers to data subjects as PII principals) whose PII is used in that processing activity are located. With this list of processing activities, the privacy team can use ISO/IEC 27701 Clause 5.2.1 as guidance for understanding organizational context.
First, the privacy team should determine the organization’s role in each PII processing activity. This article will focus on two PII processing roles – PII controller and PII processor. A PII controller determines the purpose and means for processing PII and receives PII from the data subject. A PII processor processes PII on behalf of a PII controller, and according to the PII controller’s instructions, as such, the PII processor receives PII from the PII controller.
Next, the privacy team should determine the data privacy regulations applicable to the organization. Using the list of countries associated with the PII processing activity, the privacy team can determine the privacy regulations for those countries.
For each applicable privacy regulation, the privacy team should determine the name of their role within that regulation and the requirements for each role.
For example, if your role for a processing activity is PII controller, the name of that role is “Controller” in the EU’s General Data Protection Regulation (GDPR) and “Business” in the California Privacy Rights Act (CPRA). If your role for a processing activity is PII processor, the name of that role is “Processor” in the GDPR and “Service Provider” in the CPRA. An organization’s PII processing role and the requirements for that role from applicable privacy regulations provide the context necessary to build a privacy program and a method to interpret privacy regulations that are specific to your organization.
The third initial step is to expand upon the list of PII processing activities (also referred to as a ROPA or record of processing activities) created during the previous initial step. Maintaining a record of processing activities is an important data privacy management practice because it provides a concise view of an organization’s processing activities. Also, it may be a regulatory requirement. For example, the GDPR requires organizations that employ 250 or more people to maintain PII processing records (see GDPR Article 30). ISO/IEC 27701 provides guidance for implementing an inventory of PII processing activities that can be used as a starting point upon which additional information can be added, depending on applicable privacy regulations. For PII controllers, Clause 7.2.8 states that the inventory can include the following:
- The type of processing
- The purpose of the processing
- A description of the categories of PII and PII principals (e.g., children)
- The categories of recipients to whom PII has been or will be disclosed, including recipients in third countries or international organizations
- A general description of the technical and organizational security measures
- A Privacy Impact Assessment report
- For PII processors, Clause 8.2.6 states that an inventory of PII processing activities can include the following:
- Categories of the processing carried out on behalf of each customer
- Transfers to third countries or international organizations
- A general description of the technical and organizational security measures
The inventory can be composed and maintained in a worksheet or by using data mappings and inventory tools, such as those offered by OneTrust and TrustArc. In addition to being a record, the inventory can also be used for privacy training, to create a data flow diagram, and as evidence for a privacy audit. A designated member of the privacy team should review the inventory at least annually and update the record whenever your organization institutes a new processing activity involving PII.
The fourth initial step is to conduct a privacy risk assessment. A privacy risk assessment helps your organization determine how it can be a good steward of the PII in its possession. An organization cannot adequately protect PII unless it understands the risks to that PII and how to address those risks. The privacy risk assessment requirements described in ISO/IEC 27701 Clause 5.4.1.2 are an extension of ISO/IEC 27001 Clause 6.1.2 risk assessment requirements. Due to the unique circumstances associated with processing PII, ISO/IEC 27701 refined ISO/IEC 27001 requirements for identifying risks (Clause 6.1.2 c) 1)) and analyzing risks (6.1.2 d) 1)).
ISO/IEC 27701 can be used as guidance for a three-step process to identify risks to PII.
- Apply your information security risk assessment process to the loss of confidentiality, integrity, and availability of the PII.
- Apply a privacy risk assessment process to identify risks related to your processing of PII.
- As you conduct the above assessments, ensure that there is appropriate management of the relationship between information security and PII protection.
Having identified the risks to PII, ISO/IEC 27701 points out a distinct aspect of a privacy risk assessment that differentiates it from an information security risk assessment. An information security risk assessment assesses potential consequences to an organization, should the identified risks materialize. A privacy risk assessment, according to ISO/IEC 27701, assesses potential consequences to both the organization and data subjects, should the identified risks to PII materialize.
After conducting the privacy risk assessment, controls need to be applied to address the risks to PII. ISO/IEC 27001 Annex A and ISO/IEC 27701 Clause 6, Annex A, and Annex B can be used as a catalog of control activities to address the risks to PII. ISO/IEC 27701 Annex A and Annex B controls are specific to an organization’s role as a PII controller (Annex A), and/or PII processor (Annex B). Implementation guidance for Annex A controls is described in ISO/IEC 27701 Clause 7, and guidance for implementing Annex B controls is described in ISO/IEC 27701 Clause 8.
For the ISO/IEC 27001 Annex A controls, which are specific to information security, ISO/IEC 27701 Clause 5.4.1.3 states to also consider these controls in the context of risks to PII processing, including risks to PII principals.
In Clause 6, ISO/IEC 27701 provides additional control implementation guidance for both PII controllers and PII processors for certain ISO/IEC 27001 Annex A controls.
The final initial step in designing your data privacy program is creating new and/or updating existing privacy policies. Privacy policies communicate to employees how your organization processes and protects PII. Guidance for the creation or updates of privacy policies can be found in ISO/IEC 27701 Clause 6.2.1.1, which states to consider the privacy regulations applicable to your organization during the creation and maintenance of privacy policies. These privacy regulations provide the specific requirements for the processes described in the policies. For example, GDPR Article 13 contains the requirements for the information to be provided in an external privacy policy (also referred to as a privacy notice). Also, GDPR Articles 15-21 contain the requirements to be included in a data subject access request policy.
ISO/IEC 27701 Clause 6.2.1.1 also states that the privacy policies should contain “a statement concerning support for and commitment to achieving compliance with applicable PII protection legislation and/or regulation and with the contractual terms agreed between the organization and its partners, its subcontractors, and its applicable third parties (customers, suppliers, etc.), which should clearly allocate responsibilities between them.” This can be accomplished by including a specific statement for the applicable regulatory and contractual requirements pertaining to a particular privacy policy. This privacy commitment statement is important not only because it communicates to employees your organization’s regulatory and contractual obligations, but also that using PII in a manner that is inconsistent with applicable regulatory and contractual requirements may result in negative legal consequences for the organization and harm to the data subjects whose PII has been entrusted to your organization.
Though the process of establishing a privacy management program can seem intimidating, using the initial steps described above provides the clarity of focus needed to implement a program that is specific to your organization. The world of data privacy will grow more and more complex through new and updated privacy regulations. Your organization, however, will have no need to panic because the framework for interpreting those regulations and applying their requirements will have already been laid.
