Last Updated on August 10, 2020
Organizations concerned about cybersecurity and data privacy can now pair ISO 27001, the “gold standard” for information security attestation, with the new ISO 27701 privacy extension to holistically manage these increasingly intertwined disciplines.
Building an ISO 27701 compliant Privacy Information Management System (PIMS) is arguably the best approach to managing privacy risk and proving compliance with proliferating privacy regulations like the EU’s GDPR and the California Consumer Privacy Act (CCPA).
But does achieving ISO 27701 certification “automatically” make your business GDPR or CCPA compliant? If not, how close does it get you? What about other emerging privacy laws?
To share in-depth direction on ISO 27701, we brought special guest Debbie Zaller to a recent episode of The Virtual CISO Podcast. As Principal and co-owner at Schellman & Company, a prominent IT audit and certification firm, Debbie is one of the most knowledgeable people out there on this hot topic. Host John Verry, Pivot Point’s CISO and Managing Partner, has equal expertise helping clients manage privacy risk.
According to Debbie, ISO 27701 isn’t intended to be a “one size fits all” answer to compliance with specific regulations. But, she says, “it does get you close. It includes some of the main privacy principles that you’ll see within CCPA and GDPR. But CCPA and GDPR actually have some more specific areas and some details that are not within ISO 27701.”
“But certainly that doesn’t mean that you should have different privacy programs,” Debbie adds. “If you develop your privacy program to meet ISO 27701, one of the things that we would do is make sure that you’re also meeting those specific jurisdiction requirements in [for example] GDPR, and also adding on where you need to.”
John points out: “[Like] ISO 27001, it’s an extensible framework. If you need to conform with HIPAA or … PCI-DSS, you just update the construct of your management system to account for that. Do I have to worry about GDPR? CCPA? The APEC [privacy framework]? … The idea is that you can cover every privacy standard with ISO 27701 with a little bit of jiggering.”
As you’d expect, privacy guidance universally includes fundamental concepts like consent and data subject requests (DSRs), as well as core processes like data mapping and privacy impact assessment.
Debbie explains how ISO 27701 incorporates these: “The basics of the controller and the processor specific areas of ISO 27701 cover things like collection of information use, notice, purpose and means, right? Making sure you have a legal basis for collecting that information. It also talks about sharing of information [with] third-parties. Also transparency is required in most privacy laws.”
“There are a few different specific areas in ISO 27701 that highlight certain requirements in those areas,” Debbie adds. “But again, the wording is very flexible to relate back to your jurisdiction. So you may have GDPR and CCPA that you are required to comply with. And the ISO standards … essentially say, ‘OK, make sure you have a legal basis for collecting the information and there may be specifics within the jurisdiction that outline what’s required.’”
For the many businesses that need to deal with both GDPR and CCPA, are there any “gotchas” where the two regulations differ significantly?
Debbie notes that the answer to that question could vary for a data processor versus a data collector. She also mentions several areas, like breach notifications and servicing DSRs, where GDPR specifies timelines but ISO 27701 does not. “ISO is a little bit more flexible,” Debbie summarizes.
The two experts also discuss “the weirdness” (as John puts it) in CCPA and some other privacy guidance. Like “How do you authenticate that the individual requesting to be forgotten is the person? And then there’s the proverbial Catch-22 of how do I keep a record that I’ve serviced a request without keeping personal information?”
“It’s going to be fun—or not fun, depending on how you look at it—in the next couple of years as this all gets adjudicated out and clarified … through courts of law,” John quips.
If your business needs to comply with privacy regulations, you won’t want to miss John and Debbie’s high-value conversation.