BSI has just published a brand new standard adding personal information management to the well-established information security standard, BS EN ISO/IEC 27001. This blog post introduces the new standard and explains the thinking behind it.
The world is digitizing. That’s clear to see. Where commercial platforms have led, government is catching up with programmes like the NHS’s Summary Care Records. One result is that more personal information is being processed than ever before. So in response there’s a growing body of regulation on how personal information is handled by organizations. The EU has introduced the General Data Protection Regulation and many countries, including Korea, Australia and China, have introduced similar personal data protection legislation.
It all means there’s a greater need than ever for organizations to take control of personal data management and for guidance as to how personal data should be handled. This led the IEC and ISO to develop BS ISO/IEC 27701:2019 Security techniques -- Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management -- Requirements and guidelines.
What does the new standard do?
ISO and IEC felt it made sense to provide privacy data protection advice which builds on the already-established and strong foundations of BS EN ISO/IEC 27001. And in fact that standard was written to permit the addition of sector-specific requirements.
The new standard builds on what’s already there by providing additional guidance and requirements for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS). The additional requirements are written to be practical and usable by organizations of all sizes and types.
The new standard outlines a framework which personally identifiable information (PII) controllers and PII processors can use to manage privacy controls, so the risks to individual privacy rights are reduced.
Under BS ISO/IEC 27701, PII controllers collect personal information and determine the purposes for which it’s processed. PII processors process personal information on behalf of, and only according to the instruction, of the PII controller. Note that more than one organization can act as PII controller, often known as co-controllers. It means that data sharing agreements may become necessary, but at the same time, this can create business opportunities by increasing trust between organizations.
Why use BS ISO/IEC 27701
Organizations which comply with the requirements of the new standard will generate documented evidence of how they handle the processing of personal information. This is very important because, as noted above, it can promote relationships with other stakeholders and facilitate agreements with business partners. The standard also creates clear roles and responsibilities which can also help build transparency and trust between stakeholders.
That said, the bottom line is probably that organizations have little choice but to get to grips with growing regulatory demands. Also, where organizations fail to protect people’s personal information, that breach of trust is likely to have significant, long-term, negative reputational impacts. As such, the introduction of BS ISO/IEC 27701 seems very timely and necessary.
And as well as these benefits, by building on an existing framework, the new standard provides a robust but at the same time relatively straightforward way of developing an internationally recognized approach to managing personal data. It’s one which many organizations are now likely to embrace.