Privacy frameworks are a maturing area, much like Security Frameworks have been in the past decades. Publications such as the ISO/IEC 27001 series of information security standards together provide a framework for risk management through information security best practices and related controls. As new standards and frameworks are emerging with a privacy and personal information management focus, organisations are increasingly assessing their applicability to their needs as a demonstrable indicator of privacy compliance.
The need for Privacy Frameworks
Privacy (and the protection of personal data) is enshrined in the EU Charter of Fundamental Rights. Privacy principles, including principles for the processing of personal data, can be found both in frameworks and legislation – from the OECD Privacy Principles to the Fair Information Practice Principles (FIPPS) and most recently, the data protection principles defined in the GDPR. (Data protection – also known as information privacy and data privacy – and information security are related components that work together to achieve the privacy of individuals).
These have acted as a guiding light for the values that should be applied to the processing of the personal data of individuals. The path has not always been so well-lit however for organisations looking to apply an internationally accepted privacy framework to their operations seeking to give both the individuals whose personal data is being processed and the regulators responsible for enforcement, assurance that the organisation is benchmarking their obligations in a measurable way.
Article 42 of the GDPR mandates that Supervisory Authorities, the European Data Protection Board (EDPB) and the European Commission encourage the adoption of certification mechanisms for the purpose of helping to demonstrate data protection compliance. Trilateral Research has studied privacy certification schemes in the past and as yet, there is no approved certification scheme or accredited certification body tasked with GDPR certification that has been approved by the EDPB, although the EDPB has issued guidelines on identifying certification criteria. Any accredited certification scheme focused on privacy is likely to take the approach of analysing an individual processing operation, product or service, as it is in this way that more granular assurance can be achieved.
ISO/IEC 27701 – An International Privacy Standard
Recently with the publication of ISO/IEC 27701, the well-recognised ISO/IEC 27001 information security standard has been extended with the requirements necessary for establishing, implementing and maintaining a privacy-specific information security management system. The availability of this international standard focused on privacy and data protection concerns will provide direction to organisations that are looking to strengthen their compliance.
For organisations that have already implemented and maintain ISO/IEC 27001, this new extension of the security standard will enable them to augment their existing security efforts to cover privacy management, including the processing of personal data. This will help demonstrate compliance and accountability with data protection laws such as the GDPR and relevant national legislation. Microsoft Azure and Office 365 have indicated that they will implement this new Personal Information Management (PIMS) standard and it is likely to be incorporated into considerations for future certification schemes.
ISO/IEC 27001 is not regulation-specific however, although its annexes illustrate how its elements map to regulations like the GDPR. Like ISO/IEC 27001 and the GDPR itself, it advocates a risk-based approach so that each organisation adopting the standard addresses the specific risks it faces, as well as the risks to personal data and privacy. This permits its wider application, allowing organisations to comply with several regimes, but means it may require additional controls to take account of regional and local obligations. Trilateral offers compliance support services, working with your organisation to understand these obligations and establish best practices, policies, and tools for ongoing compliance with the latest data protection standards.
Other Standards and Frameworks
BS 10012 is a standard that provides a best practice framework for a personal information management system (PIMS) that is specifically aligned to the principles of the GDPR and the UK Data Protection Act 2018. One of the key distinctions between ISO/IEC 27701 and BS 10012 is that ISO/IEC 27701 is structured so that the PIMS can be considered an extension to Information Security Management System (ISMS) requirements and controls. In the case where an organisation may not have a goal of aligning or certifying to the ISO/IEC 27001 ISMS standard, BS 10012 may be more appropriate, taking into consideration the regulatory regime in which they operate.
The National Institute of Standards and Technology (NIST), a US-based governmental organisation, is also in the final stages of developing its Privacy Framework, which is, in a similar approach to ISO/IEC 27701, an extension of its Cybersecurity Framework.
There has been some debate in the consultation process as to whether to separate out security-specific controls from privacy controls in the NIST Privacy Framework, which is essentially how ISO/IEC 27701 is delivered – as a companion to the security-focused standard of ISO 27001. In practice, the intersection of security and privacy compliance requirements will mean that for organisations where one framework makes more sense for their regulatory regime and business context, it is the accompanying privacy or security standard that they will gravitate towards to assess if it meets their needs.
Benefits of Applying a Privacy Framework to your Organisation
There are numerous benefits to applying a privacy framework to your organisation’s personal data processing. Among them:
- facilitate compliance workloads;
- increase trust between organisations and customers by demonstrating compliance with data privacy laws;
- generate evidence that Data Protection Officers can provide to senior management, board members, and Authorities, to demonstrate their progress and accountability; and
- increase the opportunities for business and commerce through the EU Digital Single Market and cross-border data flows;
In the absence of an approved certification scheme by the EDPB, an assessment of appropriate certifications and underlying standards and frameworks will need to be made based on the organisation’s context and its obligations under regional and local data protection laws as well as the emerging expectation of the marketplace where commercial organisations operate.
Trilateral Research’s data protection advisors can help you with your data protection compliance needs, taking into account available standards and best practices as well as your business context. For more information please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.