Site icon

ISO 27701 and Conformance with Privacy Information Management (Part 3)

We’ve previously discussed ISO 27701 and how it refines two essential security standards and control libraries (ISO 27001 and ISO 27002). But, the entire purpose of ISO 27701 is to align IT systems with privacy requirements found under GDPR. 

Here, we’ll discuss the third section of this document that defines additional guidelines for organizations acting as data controllers in the EU.

 

GDPR, Controllers, and Processors

GDPR laws in the EU distinguish organizations under their jurisdiction into controllers and processors. 

Controllers

A “controller” is an organization or individual that makes decisions about processing PII. As the party, or one of the parties, responsible for these decisions, GDPR laws governing controllers emphasize a few different priorities that primarily focus on that controller’s obligations to processors and the consumers from which PII is collected. 

Processors

Processors are an organization or individual that processes PII on behalf of a controller. A processor doesn’t operate outside of a relationship with a controller, even if it still has specific responsibilities and obligations to consumers. 

Because of the specific nature of how these categories are defined under GDPR, there cannot be a processing organization that is not working for or also functioning as a controller. A processor and controller can be one in the same organization, but any organization that makes decisions regarding processing PII is, by default, also a controller. 

 

ISO 27701 and Additional Guidelines for GDPR Controllers

The third section of ISO 27701 focuses on the organization’s responsibilities when functioning as a controller in the EU. These responsibilities are governed above and beyond specific modifications to ISO 27001 or ISO 27002 controls and typically cover GDPR-specific data collection, reporting, and consent acquisition requirements.

Conditions for Collection and Processing

Controllers may not function as processors, but they have several obligations when defining business decisions around working with processors. This includes defining the collection types and processing they may outsource to these partner organizations.

 

Obligations to PII Principles

Controllers have a responsibility to inform PII principles about their rights regarding the processing of their information. 

 

Privacy by Design and Default

Not all IT systems are designed with security in mind, and there is a stark difference between those modified for compliance and those built for it. ISO 27701 requirements for processing PII prioritize systems and processes made under privacy principles by design and default.

Transferring, Sharing, and Disclosing PII

Any sharing or transfer of PII must be recorded for audit purposes. Additionally, documentation must identify outside countries or international organizations where data may be transferred during processing.

Stay Ahead of Evolving ISO Requirements with Lazarus Alliance

The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s crucial to understand how those changes result in a unique PIMS infrastructure.

Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version