We’ve previously discussed ISO 27701 and how it refines two essential security standards and control libraries (ISO 27001 and ISO 27002). But, the entire purpose of ISO 27701 is to align IT systems with privacy requirements found under GDPR.
Here, we’ll discuss the third section of this document that defines additional guidelines for organizations acting as data controllers in the EU.
GDPR, Controllers, and Processors
GDPR laws in the EU distinguish organizations under their jurisdiction into controllers and processors.
A “controller” is an organization or individual that makes decisions about processing PII. As the party, or one of the parties, responsible for these decisions, GDPR laws governing controllers emphasize a few different priorities that primarily focus on that controller’s obligations to processors and the consumers from which PII is collected.
Processors are an organization or individual that processes PII on behalf of a controller. A processor doesn’t operate outside of a relationship with a controller, even if it still has specific responsibilities and obligations to consumers.
Because of the specific nature of how these categories are defined under GDPR, there cannot be a processing organization that is not working for or also functioning as a controller. A processor and controller can be one in the same organization, but any organization that makes decisions regarding processing PII is, by default, also a controller.
ISO 27701 and Additional Guidelines for GDPR Controllers
The third section of ISO 27701 focuses on the organization’s responsibilities when functioning as a controller in the EU. These responsibilities are governed above and beyond specific modifications to ISO 27001 or ISO 27002 controls and typically cover GDPR-specific data collection, reporting, and consent acquisition requirements.
Conditions for Collection and Processing
Controllers may not function as processors, but they have several obligations when defining business decisions around working with processors. This includes defining the collection types and processing they may outsource to these partner organizations.
- Implementation: Controllers must have well-documented information about the reasoning and purposes of any data collection or processing. This requirement is necessary for any other requirements to be meaningfully enforced.
- Lawful Basis: Controllers must be able to demonstrate the lawfulness of their data collection efforts, including how they will gain consent, how these efforts meet legal and compliance obligations, that these efforts meet specific business requirements, and that they protect the interests and privacy of the PII principle (the individual from which the data is collected).
- Consent: Processes for gaining and recording consent must be documented and verifiable to adhere to all privacy requirements in GDPR (it must be freely given, specific to the business task, and explicit). These consent mechanisms must meet local as well as EU regulations. Consent must only be obtained via these documented processes.
- Privacy Impact Assessment: The controlling organization must perform a privacy impact assessment whenever changing or implementing new processing standards.
- Contracts with Processors: When a controller agrees with a processor, these contracts must define the specific scope of processing, any relevant controls, and the impact on the contract that may stem from risk assessments.
- Records: The controller must maintain all relevant records related to the type and purposes of the processing, categories of PII principles, descriptions of security measures, and a Privacy Impact Report.
Obligations to PII Principles
Controllers have a responsibility to inform PII principles about their rights regarding the processing of their information.
- Determining Obligations: Controllers must document any information they may gather from PII principles and, following that, any information they must provide to those principles to detail the processing to take place and their rights in relation to their data.
- Providing Information to Principles: PII principals must receive or have clear access to, information identifying the controller (with contact information) and the types of processing taking place.
- Withdrawal of Consent or Object: Controllers must provide principles with readily-accessible mechanisms to modify or withdraw their consent. These requests must be documented in the same manner as the consent was recorded.
- Informing Third Parties: In cases where controllers have shared data with other organizations (such as processors), they must inform those partners in cases of any changes to provide information or when consent is withdrawn.
- Providing Copies of Information: Controllers must provide records of any of their PII currently being processed when asked by PII principles. Procedures for handling these requests should be documented within the organization.
- Automation: All of these obligations must be adjusted accordingly for automated PII processes.
Privacy by Design and Default
Not all IT systems are designed with security in mind, and there is a stark difference between those modified for compliance and those built for it. ISO 27701 requirements for processing PII prioritize systems and processes made under privacy principles by design and default.
- Limit Collection: The controller must have limits in place for data collection such that it only aligns with identified business processes. There should be no optional data collection options made available to the principal that is enabled by default; rather, these must be disabled and specifically enabled by the principal (privacy by default).
- Limit Processing: The controller must have limits in place for data processing such that it only aligns with identified business processes.
- Accuracy: Policies should be in place to ensure that principle PII is accurate, complete, and up-to-date.
- Minimization: System configurations, policies, and procedures must contain mechanisms that minimize data collection and processing only to that which is necessary for clearly-defined business purposes.
- Deletion and Temporary Files: Once stated business purposes are completed, or PII is no longer necessary, then the controller must delete PII or render it to a form that prohibits the identification of principles. Temporary files created during the processing of PII must also be destroyed.
- Retention: Controllers may not retain PII beyond its use within the defined purposes provided by the PII principle.
- Disposal: Controllers must have policies in place to dispose of media that has stored PII, including shredding, burning, or hard drive destruction.
Transferring, Sharing, and Disclosing PII
Any sharing or transfer of PII must be recorded for audit purposes. Additionally, documentation must identify outside countries or international organizations where data may be transferred during processing.
Stay Ahead of Evolving ISO Requirements with Lazarus Alliance
The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s crucial to understand how those changes result in a unique PIMS infrastructure.
Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.