Site icon

ISO 27701 and Conformance with Privacy Information Management (Part 4)

As previously discussed, ISO/IEC 27701 is a comprehensive international standard that provides specific privacy guidelines for organizations attempting to meet additional standards for handling PII in line with jurisdictions like GDPR. This document aligns ISO-compliant organizations with PII-focused standards by implementing Privacy Information Management Systems (PIMS).

So far, we’ve covered how ISO 27701 refines ISO 27001 and ISO 27002 guidelines to emphasize handling PII and those specific to data controllers. In this final blog post of our series, we will look closely at Section 8 of ISO 27701 and explore specific guidelines for processors handling PII.

 

Specifying Processors Under GDPR

In our last post, we described data controllers as the entity that determines the purposes, conditions, and means of processing PII. 

A processor, on the other hand, is defined as an entity that processes personal data on behalf of the controller. The processor is the “agent” of the controller in that they handle the actual data processing for that organization. 

There’s a bit of overlap between the two, depending on the situation. A logical breakdown of how GDPR may govern these entities looks like this:

It’s important to note that controllers and processors are subject to the provisions of the GDPR and can be held liable for any non-compliance with the regulation. Controllers and processors must also enter into a written agreement specifying their responsibilities and obligations under the GDPR.

 

Additional Guidance for PII Processors

The fourth and final section of ISO 27701 addresses specific guidance pertaining to PII processors. These standards address guidance outside of the application of ISO 27001 and ISO 27002, especially those that apply to PII processors. 

There are some overlapping expectations between processors and controllers, but the following points address those pertaining to organizations that would be designated only as processors by governing regulations like GDPR.

 

Conditions for Collection and Processing

The majority of conditions that processors must meet apply to their obligations to their “customers”… that is, controllers that hire the processing organization.

Obligations to PII Principles

A processor should be able to provide information on how a controller can meet its obligations to PII principals. This includes the demonstration of the controls that they have in place to meet the specific needs of the controller as related to PII principles. 

 

Privacy by Design and by Default

Privacy by design and default is a general principle that states that any software or hardware system that handles PII is designed to ensure the privacy of PII and that settings are such that privacy is the default configuration.

 

PII Sharing, Transfer, and Disclosure

Any data transmission outside of the customer relationship (specifically those to outside parties) has its guidelines.

 

Stay Ahead of Evolving ISO Requirements with Lazarus Alliance

The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s crucial to understand how those changes result in a unique PIMS infrastructure.

Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.

[wpforms id=”137574″]

Exit mobile version