Professional Documents
Culture Documents
It provides guidance and requirements on the protection of privacy, helping both personally identifiable
information (PII) processors and PII controllers to put robust data processes and controls in place.
This means you can demonstrate accountability for managing PII, instil trust and build strong business
relationships.
Contents
• B
enefits
• ISO/IEC 27701 clause by clause
• BSI Training Academy
• BSI Business
Improvement Software
2
What kind of organizations can benefit
from ISO/IEC 27701?
ISO/IEC 27701 is ideal for all types and sizes of organizations who want to demonstrate that they take
protecting personal information seriously.
Whether you’re a public or private company, government entity or not-for-profit organization, if your
organization is responsible for processing PII within an information security management system then
ISO/IEC 27701 is for you.
Supports Reduces
Builds trust in compliance complexity by
managing PII with privacy integrating with
regulations ISO/IEC 27001
Facilitates
Clarifies
effective
roles and
business
responsibilities
relationships
The key requirements of
ISO/IEC 27701
Annexes
A number of Annexes are included in ISO/IEC 27701. Annexes A and B are for controllers and processors
respectively, whilst annexes C – F provide additional knowledge that can support with setting up and
operating an effective PIMS.
Annex A Annex B
A list of controls for PII controllers. A list of controls for PII processors.
Not all controls will be required, however a justification Not all controls will be required, however a justification
for excluding any control is required in the statement of for excluding any control is required in the statement of
applicability applicability
Annex C Annex D
Mapping of controls for PII controllers to the Mapping of ISO/IEC 27701 clauses to GDPR articles 5 to
ISO/IEC 2900 privacy principals. 49 (except 43).
This shows an indication of how compliance to This shows how compliance to requirements and controls
requirements and controls of ISO/IEC 27701 relate to the of ISO/IEC 27701 can be relevant to fulfil obligations of
privacy principals in ISO/IEC 29100 GDPR
Annex E Annex F
Mapping of ISO/IEC 27701 clauses to: Details how to apply ISO/IEC 27701 to ISO/IEC 27001 and
ISO/IEC 27002.
• ISO/IEC 27018 requirements for PII processors in
public clouds It clearly maps the extension of information security
• ISO/IEC 29151 for additional controls and guidance terms to incorporate privacy and includes some examples
for PII controllers. for application
6
Train with BSI
BSI is a world leader in helping clients develop the knowledge and skills they need to embed excellence
in their organizations. Whether your organization is going to certify or is simply looking to implement a
privacy information management system, our training courses will help you embed the knowledge and
maximize your ISO/IEC 27701 performance.
• Learn what a PIMS is and understand the • As an existing ISO/IEC 27001 auditor, learn how to
ISO/IEC 27701 requirements conduct audits against ISO/IEC 27701
Ensure you get the most from your ISO/IEC 27701 investment with our Business Improvement Software – a
solution that can help you effectively manage your privacy information management system. With pre-
configured ISO content, it gives you the tools and information necessary to manage essential elements of
your PIMS.
The start of your ISO/IEC 27701 journey is an ideal time to implement BSI Business
Improvement Software and benefit from:
• Ability to log, track and manage actions related to audits, incidents/events, risk and performance
• Insight into trends that help you make business decisions to drive improvement through its
customizable dashboards and reporting tools
7
Why BSI?
For over a century BSI has championed what good looks like and driven best practice
in organizations around the world. This includes the production of BS 7799, now
ISO/IEC 27001, the world’s most popular information security standard. And we haven’t
stopped there, addressing the new emerging issues such as cyber, cloud security and now
privacy with ISO/IEC 27701. That’s why we’re best placed to help you.
With the technical know-how and network of industry experts, academics and
professional bodies, we are committed to drive the privacy agenda for both organizations
and society.
About BSI
BSI/UK/1651/SC/1119/EN/GRP
BSI is the business improvement company that enables organizations to turn standards of best
practice into habits of excellence. Working with over 86,000 clients across 193 countries, it is
a truly international business with skills and experience across a number of sectors including
automotive, aerospace, built environment, food, and healthcare. Through its expertise in
Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI
Copyright © 2019, The British Standards Institution. All rights reserved.
improves business performance to help clients grow sustainably, manage risk and ultimately be
more resilient.
Introduction
Digitalization, globalization and personalization of services, from booking a doctor’s appointment to internet
banking, have led to greater collection and processing of personal information than ever before. And this
trend is growing as opportunities for new services arise, and new players enter the market.
There are now so many different platforms people use as part Within Europe, the introduction of the General Data Protection
of their daily routine where personal information is collected Regulation (GDPR) provides a harmonization of data privacy
such as the growth in mobile applications, loyalty schemes, laws that reflect the realities of the digital world we now live in.
connected devices and location-based advertising. This means
we are regularly handing over our data without thinking it Many other countries, such as Korea, Australia and China, are
through, creating more data flows than ever before. And also creating data protection legislation. In anticipation of the
whether it’s dating sites, telecoms providers or public service increased regulatory environment and a need for a common
organizations, there is barely a day that goes by when you set of concepts to address the protection of personal data, the
look at the news and don’t see reference to a data breach International Organization for Standardization (ISO) and the
where personal records have been compromised. This has International Electrotechnical Commission (IEC) have taken
only increased the focus on issues surrounding the misuse of the initiative to create standards to provide such guidance.
personal information, meaning organizations cannot afford to These standards have the benefit of providing frameworks
be complacent. for assisting organizations to demonstrate personal data
protection and privacy compliance with different laws in a
Greater awareness of these issues has led to growing concern, changing regulatory landscape. Certification may also be
among both individuals and governments, around how a useful tool for organizations to add credibility to their
personal data is collected, used and protected; in response, commitment to privacy and related obligations.
some governments have proposed or enacted new regulations
aimed at providing guidelines and requirements for treatment
of personal data.
bsigroup.com
How ISO/IEC 27701 helps PII Controllers How ISO/IEC 27701 helps PII Processors
3
Privacy matters
It’s intended that organizations will certify to ISO/IEC 27701 as an extension to ISO/IEC 27001 management system. In other words,
organizations planning to seek an ISO/IEC 27701 certification will also need an ISO/IEC 27001 certification. This demonstrates
commitment to both information security and privacy management.
To validate that the adequate operational controls from the standard does not contain a specific 72-hour notification
standard are implemented consistently, to carry out the as required by the law. In order for the practitioners to
compliance requirements of relevant privacy regulations, demonstrate that the organization has implemented a
measures must be taken to: management system that fulfils this particular GDPR
requirement, they must show the auditors that the
1. map the relevant regulatory requirements against the organizations either have a uniform process in place that
standards controls would notify the data subjects and the privacy regulators within
2. enumerate specific regulatory requirements that are not 72 hours of breach confirmation or has a process to determine
already fully captured by the standard controls and the if the breach involves European citizens or if the breached
conditions to which the requirements become applicable data processing took place in Europe and, if so, trigger the
3. incorporate the above into the risk assessment process in notification within the required timeframe.
the audit cycle
The mapping of standard against regulations and enumerating
A good example to examine is the data breach management of unique regulatory requirements and applicable conditions
controls in ISO/IEC 27701 and the breach notification are the necessary mechanisms to which controllers and
requirements (article 33) in GDPR. By all measures, the processors can use ISO/IEC 27701 to verify regulatory
standard’s security incident management controls mapping compliance against multiple privacy regulations.
squarely with the GDPR data breach requirements. But the
5
Privacy matters
Healthcare sector
As a sector that collects some of the most sensitive personal information, healthcare-specific data protection
laws are very prominent. For example, there is the French Public Health Code (Article L.1111-8) that requires
service providers who host certain types of health/medical data to be accredited for this activity. And the Health
Insurance Portability and Accountability Act in the United States sets the standard for sensitive patient data
protection and requires U.S. health plans, healthcare clearing houses and healthcare providers, or any organization
or individual who acts as a vendor or subcontractor with access to personal health information, to comply.
It is also important to highlight the European Digital Single It facilitates cross-border data processing and commerce.
Market. This is a policy, announced in 2015, that covers digital However, differences in data privacy laws across member
marketing, e-commerce and telecommunications. It aims to states of Europe were recognized as a barrier to the European
open up opportunities for people and businesses, breaking Digital Single Market being a success. Therefore, the
down existing barriers. It has three core pillars: introduction of GDPR to help harmonize data privacy across
all of Europe is a positive step change.
•• Access to online products and services
•• Conditions for digital networks and services to
grow and thrive
•• Growth of the European digital economy
bsigroup.com
7
Privacy matters
This sentiment is echoed by the European Union Agency for national certification bodies and supervisory authorities under
Network and Information Security (ENISA) which recently the guidance and support of the European Commission and
published recommendations on certification for GDPR [ENISA: European Data Protection Board should pursue a common
Recommendation on European Data Protection Certification, approach on inception and deployment of GDPR certification
Version 1.0, November 2017; https://www.enisa.europa.eu/ mechanisms. They also recommend that the approach is
publications/recommendations-on-european-data-protection- scalable and uses approved and widely adopted criteria.
certification]. ENISA state that certification, seals and marks Consistency and harmonization of certification mechanisms
have a significant role to play in enabling data controllers across Europe are emphasized, and the trustworthiness
to achieve and demonstrate compliance of their processing and transparency are reinforced as important traits of the
operations with GDPR provisions. ENISA recommends that certification process.
9
Privacy Matters
Figure 3 – Stakeholder landscape for certification based on ISO/IEC 27701 (source: Microsoft).
Implement PIMS
Processors
Help the DPA and National
accreditation authorities carry
out GDPR articles 42 and 43
Consultants
Common objectives Implement PIMS
• Demonstrate the visibility of PIMS in scale across the market.
Controllers
• Encourage to adopt pan-European GDPR certification.
• Demonstrate to the market that PIMs holds up as a
comprehensive GDPR evidence set.
Conclusions
To conclude, managing personal information in compliance with the evolving regulatory
landscape is complex but cannot be ignored. The protection of an individual’s personal
information is one of their fundamental human rights. Laws exist around the world to
protect these rights in an environment where business and data related to personal lives
are becoming increasingly globalized. The European GDPR has been introduced to ensure
that collection and processing of PII are conducted lawfully, and it supports the cross-
border data flows required to enable the EU Digital Single Market.
11
Privacy Matters
Why BSI?
BSI/UK/1591/SC/0719/EN/GRP
BSI has been at the forefront of information security standards since 1995, having produced the world’s first standard,
BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there,
addressing the new emerging issues such as privacy, cyber and cloud security. That’s why we’re best placed to help you
Working with over 86,000 clients across 193 countries, BSI is a truly international business with skills and experience
across a number of sectors including automotive, aerospace, built environment, food, and healthcare. Through its expertise
in Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI improves business
performance to help clients grow sustainably, manage risk and ultimately be more resilient.
Protecting personally identifiable information (PII) has never been so important. Individual privacy rights allow people to decide
how their personal data is managed and increasingly organizations have a legal obligation to respond.
Where the quantity of sensitive information has multiplied and the use of technology makes it easier to transfer and more readily
available, organizations need to respond. And that’s where ISO/IEC 27701 can help.
It helps both PII processors and PII controllers to put robust data processes and controls in place, which means you can not only
demonstrate accountability for managing PII but instil trust and build strong business relationships.
Strategic governance PII between different organizations and countries needs clear
agreements, as well as defined roles and responsibilities.
Organizations need the agility to respond to
changing technologies and associated regulations.
ISO/IEC 27701 requires processes to be agreed and provides
That’s where top management engagement and
guidance on the different roles and responsibilities for
alignment with your organization’s strategy is key.
processors and controllers to help facilitate relationships.
ISO/IEC 27701 provides a governance framework for
managing PII. It builds upon internationally recognized An integrated approach
information security governance, and both require top
management engagement. ISO/IEC 27701 has been developed to minimize the
complexity of multiple stand-alone systems. It extends
ISO/IEC 27001 for information security and uses the ISO
Privacy compliance high level structure (HLS) that brings a common framework
to all management systems.
Privacy laws and regulations differ between country and
state. They focus on an individual’s nationality, as well By implementing a PIMS, you not only gain great
as where they live, which can add a layer of complexity effectiveness and efficiencies with your information
for organizations who operate in a global context. security management, but you can integrate with other
popular systems such as ISO 22301 business continuity
ISO/IEC 27701 requires the context of PII processing to management.
be understood and accounted for to ensure organizations
respond to all relevant jurisdictional differences.
Surveillance
audits
Privacy Privacy
Information Stage two Information
Stage one
Management Application certification Audit report Certification Management
assessment audit
System audit continuous
development development
Our ISO/IEC 27701 journey builds upon ISO/IEC 27001 certification. If you’re certified to ISO/IEC 27001, talk to us about the option of
combined audit days.
BSI/UK/1637/SC/1019/EN/GRP
Why BSI?
Privacy information management training courses For over a century BSI has
championed what good
Get the skills to maximize ISO/IEC 27701 Our courses include: looks like and driven best
for your organization. practice in organizations around the world.
• ISO/IEC 27701 Requirements –
Our training courses will help you one day introduction This includes the production of BS 7799,
understand the ISO/IEC 27701 standard now ISO/IEC 27001, the world’s most
and the agreed terms and definitions. • ISO/IEC 27701 Implementation – popular information security standard.
You can build on this knowledge to learn two day implementation techniques And we haven’t stopped there, addressing
how to implement or audit a PIMS so it the new emerging issues such as cyber,
• ISO/IEC 27701 Internal auditor –
delivers value for your organization. cloud security and now privacy with
one day course for existing
ISO/IEC 27001 auditors to learn ISO/IEC 27701. That’s why we’re best
ISO/IEC 27701 auditing techniques placed to help you.
With the technical know-how and network
Our courses use a high-impact,
of industry experts, academics and
accelerated learning approach, proven to
professional bodies, we are committed
enhance knowledge retention and skill
to drive the privacy agenda for both
application.
organizations and society.
Mapping guide
Privacy Information Management - comparing ISO/IEC 27701 and BS 10012
It’s the first international management system standard to help organizations manage personally identifiable
information and respond to jurisdictional differences in privacy regulations globally. However, BS 10012 Data
protection - Specification for a personal information management system is a British standard aligned to the
GDPR and UK Data Protection Act 2018 that’s used by organizations globally to put processes and controls in
place to manage personal information.
This guide shows how the different clauses in ISO/IEC 27701 map to the clauses in BS 10012. It’s designed
for guidance purposes only and aims to help you understand the degree of correspondence between the two
standards and the different ways they express privacy requirements.
5.2.1 Understanding the organization and its Understanding the organization and its 4.1
context context
5.2.2 Understanding the needs and Understanding the needs and expectations 4.2
expectations of interested parties of interested parties
5.2.3 Determining the scope of the Determining the scope of the personal 4.3
information security management information management system
system
5.2.4 Information security management Personal information management system 4.4
system
5.3.1 Leadership and commitment Leadership and commitment 5.1
5.3.3 Organizational roles, responsibilities and Organizational roles, responsibilities and 5.3
authorities authorities
5.4.1 Actions to address risks and Actions to address risks and opportunities 6.1
opportunities
5.4.2 Information security objectives and Embedding the PIMS in the organization's 5.4
planning to achieve them culture
PIMS objectives and planning to achieve 6.2
them
5.5.1 Resources Resources 7.1
2
bsigroup.com
5.6.1 Operational planning and control Operational planning and control 8.1
5.6.2 Information security risk assessment Risk assessment and treatment 8.2.3
5.6.3 Information security risk treatment Risk assessment and treatment 8.2.3
5.8.1 Nonconformity and corrective action Nonconformity and corrective action 10.1
3
Privacy Information Management - comparing ISO/IEC 27701 and BS 10012
4
bsigroup.com
6.15.1 Compliance with legal and Fair, lawful and transparent processing 8.2.6
contractual requirements
6.15.2 Information security reviews Fair, lawful and transparent processing 8.2.6
7.2.1 Identify and document purpose Identifying and recording uses of 8.2.2
personal information 8.2.7
Processing for specific legitimate
purposes
7.2.2 Identify lawful basis Fair, lawful and transparent processing 8.2.6
7.2.3 Determine when and how consent is Fair, lawful and transparent processing 8.2.6
to be obtained
7.2.4 Obtain and record consent Fair, lawful and transparent processing 8.2.6
7.2.8 Records related to processing PII Identifying and recording uses of 8.2.2
personal information
7.3.1 Determining and fulfilling obligations Fair, lawful and transparent processing 8.2.6
to PII principals
Rights of natural persons 8.2.12
7.3.2 Determining information for PII Fair, lawful and transparent processing 8.2.6
principals
5
Privacy Information Management - comparing ISO/IEC 27701 and BS 10012
7.3.3 Providing information to PII Fair, lawful and transparent processing 8.2.6
principals
7.3.4 Providing mechanism to modify or Fair, lawful and transparent processing 8.2.6
withdraw consent
7.3.5 Providing mechanism to object to PII Rights of natural persons 8.2.12
processing
7.3.6 Access, correction and/or erasure Accuracy 8.2.9
7.4.4 PII minimization objectives Adequate, relevant and in line with data 8.2.8
minimization principals
7.4.5 PII de-identification and deletion at Retention and disposal 8.2.10
the end of processing
7.4.6 Temporary files Security issues 8.2.11
6
bsigroup.com
8.3.1 Obligations to PII principals Fair, lawful and transparent processing 8.2.6
4.1 Understanding the organization and Understanding the organization and its 5.2.1
its context context
4.2 Understanding the needs and Understanding the needs and 5.2.2
expectations of interested parties expectations of interested parties
4.3 Determining the scope of the Determining the scope of the 5.2.3
personal information management information security management
system system
4.4 Personal information management Information security management 5.2.4
system system
5.1 Leadership and commitment Leadership and commitment 5.3.1
5.4 Embedding the PIMS in the Information security objectives and 5.4.2
organization's culture planning to achieve them
Internal organization 6.3.1
6.1 Actions to address risks and Actions to address risks and 5.4.1
opportunities opportunities
Privacy impact assessment 7.2.5
8
bsigroup.com
8.1 Operational planning and control Operational planning and control 5.6.1
Operational procedures and 6.9.1
responsibilities
8.2.1 Key appointments Organizational roles, responsibilities and 5.3.3
authorities
Internal organization 6.3.1
8.2.2 Identifying and recording uses of Responsibility for assets 6.5.1
personal information
Information classification 6.5.2
9
Privacy Information Management - comparing ISO/IEC 27701 and BS 10012 bsigroup.com
10
bsigroup.com
8.2.11 (continued) Security issues (continued) Marketing and advertising use 8.2.3
Infringing instruction 8.2.4
Customer obligations 8.2.5
Records related to processing PII 8.2.6
PII transmission controls 8.4.3
Basis for PII transfer between 8.5.1
jurisdictions
Countries and international 8.5.2
organizations to which PII can be
transferred
Records of PII disclosure to third parties 8.5.3
Notification of PII disclosure requests 8.5.4
Legally binding PII disclosures 8.5.5
Disclosures of subcontractors used to 8.5.6
process PII
Engagement of a subcontractor to 8.5.7
process PII
Change of subcontractor to process PII 8.5.8
8.2.12 Rights of natural persons Determining and fulfilling obligations to 7.3.1
PII principals
Providing mechanism to object to PII 7.3.5
processing
PII controllers' obligations to inform 7.3.7
third parties
Providing copy of PII processed 7.3.8
Handling requests 7.3.9
Redundancies 6.14.2
10.1 Nonconformity and corrective action Nonconformity and corrective action 5.8.1
11
Why BSI?
BSI/UK/1592/SC/0719/EN/GRP
BSI has been at the forefront of information security standards since 1995, having produced the world’s first standard,
BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there,
addressing the new emerging issues such as privacy, cyber and cloud security. That’s why we’re best placed to help you
Working with over 86,000 clients across 193 countries, BSI is a truly international business with skills and experience
across a number of sectors including automotive, aerospace, built environment, food, and healthcare. Through its expertise
in Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI improves business
performance to help clients grow sustainably, manage risk and ultimately be more resilient.
A white paper
Privacy regulation
Contents
Introduction 3
The European privacy landscape 4
The role of ISO/IEC 27701 4
The benefits of the standard 5
Key concepts 7
Overview of the privacy regulation landscape 10
ePrivacy regulation challenges AdTech business model 11
Competition law challenges for those processing
large datasheets 12
Online harm from personal data posted online 12
Implementing privacy and information security
standards 13
Privacy governance 13
Conclusion 14
2
bsigroup.com
Introduction
The privacy of individuals’ personal data is very topical. An organization must carefully consider how to
handle the personal information of customers, employees, visitors and neighbours; for many organizations
this is a challenge. The application of the GDPR (General Data Protection Regulation) in May 2018 meant that
all organizations, no matter where they were based, now have to comply with the GDPR if they handle the
personal data of citizens of the EU. Beyond the EU, at least 132 countries now have a privacy law in place.
Organizations that transfer personal data between these countries must take each relevant law into account
when considering controls to protect privacy.
Implementing and monitoring controls to support compliance Security Management System (ISMS) to address privacy
with such laws can be a complex challenge. To make this more requirements.
manageable, having standards in place can give organizations
more confidence in the steps they have taken in fulfilling This white paper sets out an overview on regulations related to
regulatory compliance. Such standards include ISO/IEC 27701 privacy, the role ISO/IEC 27701 can play and what this means
which is an internationally agreed standard that enables for businesses and consumers.
organizations to extend their existing ISO/IEC 27001 Information
3
Privacy regulation
4
bsigroup.com
5
Privacy regulation
6
bsigroup.com
Key concepts
The language of privacy and information security requirements can seem daunting to those new to the field. However, help is
available as defining key concepts is central to the work of creating international standards. Some definitions will be widely
accepted by practitioners, while others will be disputed, sometimes indefinitely. Nonetheless, standards present an internationally
recognized definition of key concepts that practitioners can use in their day-to-day work of implementing controls. ISO/IEC 27701
and associated standards define many of the key concepts that a compliance programme in privacy and information security
requires. Some of these key concepts are described below.
Sensitive PII is defined in section 2.26 of ISO/IEC 29100:2011 Privacy controls are defined in section 2.14 of I
as PII that contains information related to the most intimate SO/IEC 29100:2011 as organizational, physical and technical
details about a PII principle or individual, or whose impact on measures that treat privacy risks by reducing their likelihood
the individual, if disclosed, would be significant. or consequence.
7
Privacy regulation
8
bsigroup.com
9
Privacy regulation
The key source of information on applying the GDPR is the of how to implement the GDPR in some of the most complex
European Data Protection Board (EDPB). It issues guidance on circumstances. These cases are reported online (https://eur-lex.
various topics, such as carrying out Data Protection Impact europa.eu/homepage.html?locale=en).
Assessments, which is available online (https://edpb.europa.eu/
guidelines-relevant-controllers-and-processors_en). The global impact of GDPR
The EDPB took on the role of its predecessor organization, The GDPR covers the personal data of European citizens, no
the Article 29 Working Group, which had been created by the matter where their data is processed, and has therefore set
Data Protection Directive 95/46/EC that was incorporated a high standard for organizations all over the world. Other
into UK law as the Data Protection Act 1998. When the EDPB countries, when considering how to revise their own data
was formed, it adopted all of the guidance published since protection laws, have looked to the GDPR as an up to date
1997 covering topics such as employee monitoring and breach model for data protection in the age of global social media.
notification. All of this guidance is available online (https:// Brazil has introduced a new data protection law (LGPD) that
ec.europa.eu/justice/article-29/documentation/index_en.htm). comes into force in 2020 which adopts many of the principles
When reviewing an area it believes needs guidance, the EDPB of the GDPR. In addition, the new California Consumer Privacy
works to establish a consensus between each of the Data Act (CCPA), which also comes into force in 2020, adopts some
Protection Authorities (DPAs) throughout the EU, such as the of the concepts of the GDPR. Legislators in Washington DC
UK’s Information Commissioner’s Office (ICO) (www.ico.org.uk) have been negotiating to introduce a federal data privacy law
and France’s Commission Nationale de l’Informatique et des that may pre-empt the CCPA, and their efforts have centred
Libertés (CNIL). on achieving similar protections to those in the GDPR. Being
compliant with the GDPR therefore means less effort is
DPAs are responsible for registering organizations that required to comply with international laws.
control the processing of personal data, providing advice to
organizations and to individuals, responding to complaints Other European privacy laws
from individuals and investigating and fining organizations that
have experienced a data breach. The DPA will also prosecute The GDPR was created at the same time as two parallel laws,
organizations if they believe that their processing of personal Regulation (EU) 2018/1725, that require good data protection
data is not compliant with the GDPR. practices in EU institutions, and the specific data protection
Directive (680/2016) that requires good data protection
While there is still ambiguity over how to comply with some practices in EU law enforcement bodies. The Regulation (EU)
aspects of the GDPR, instances where a DPA prosecutes an 2018/1725 came into effect for EU institutions on 11 December
organization for non-compliance will provide a useful indication 2018, while the Directive came into effect in each jurisdiction
about how the DPA and the courts expect organizations to through local enabling laws. It was incorporated into the UK’s
comply with the law. Where a case is appealed to the European DPA 2018, which came into effect on 23 May 2018. A copy is
Court of Justice, the EU’s supreme court, the judgements can available online (http://www.legislation.gov.uk/ukpga/2018/12/
be considered definitive. These cases tend to offer an indication contents).
10
bsigroup.com
11
Privacy regulation
Those organizations that process large amounts of personal other organizations also gathering such market research data,
data are discovering that their processing may also infringe reducing competition in the market, the social media platform
competition law. could be subject to competition law scrutiny.
Competition law is designed to prevent a dominant market In the EU, the Commission’s Competition Directorate tends to
position being used to reduce competition from other look at the market share of particular organizations in specific
organizations in the same market. Where organizations, markets to determine whether there is a risk to competition in
such as social media platforms, process the personal data the market. Where competition law finds a dominant position
of large numbers of individuals, they might be considered in the market for market research data, sanctions can include
to have a dominant position in the market for gathering fines for anti-competitive behaviour, divestment of subsidiaries
market research data, and providing display advertising. New or breakup of dominant groups. The European Commission is
competitors might struggle to compete against an existing actively considering how new regulations might help to ensure
social media platform as the new company will not have the that social media platforms do not reduce competition from
benefit of millions of existing customers and their Internet other companies.
data. Where this dominant position is considered to prevent
12
bsigroup.com
Privacy governance
Good business governance is important to help organizations respond to changing environments, and there are different types
of standards available to support. For example, management system standards help organizations to manage risk and improve
performance across a range of areas from quality management and health and safety to privacy and information security.
The benefits of a management systems raise the profile of the issues within senior management teams.
It can also support future conversations about the need for
approach further investment and attention. For most organizations, the
Complying with any standard for a business process or product progress towards compliance is an everlasting one, and so
helps an organization develop in a specific discipline. However, following against an international standard provides ongoing
implementing a management systems standard requires a focus for a programme that can lose focus after the initial burst
much more robust approach that impacts all functions across of energy.
the organization. If the management systems standard is
going to be effective, it must be embedded into the existing Integration efficiencies
management of the organization.
Any management systems standard is also designed to
A management systems standard is focused on making be shared in a modular way, so that the effort of adding a
compliance with the standard robust at any point in time and new management systems standard to an organization is
sustainable in the longer term. This type of standard makes minimized. Once an organization has embedded a single
the management of the organization as a whole much more management standard, say for quality, the extra effort required
systematic and transparent. Compliance against the standard to add an additional management standard, say for privacy
demonstrates that the organization takes its management and information security, is much less than that for the initial
responsibilities seriously. standard.
Leadership engagement Any organization that seeks to comply with privacy and
information security requirements through a management
A key feature of a management systems standard is the systems standard is therefore investing in the robustness and
requirement for the organization’s senior management to be sustainability of their organization in a way that allows other
involved. This can bring significant management attention to technical areas such as safety, or quality to be addressed in the
issues, such as privacy and information security, and help to future.
13
Privacy regulation
Conclusion
This white paper has explored the privacy regulation landscape. It requires jurisdictional differences to be considered and
It has not only demonstrated a number of differences and encourages senior management to take privacy seriously. This
similarities globally, but highlights the importance of specific is of critical importance when new regulations are coming into
regulatory requirements such as the ePrivacy Directive. place, and the impacts can affect the bottom line.
All regulations have positive intentions to support an It is also essential to recognize that the regulatory landscape is
individual’s privacy rights, and the foundation set by GDPR has complex, ever changing and needs to be regularly reviewed. By
given a springboard for other countries and states around the adopting a management system approach, organizations are
world. There are of course nuances between these that can encouraged to continually monitor and assess performance
create a challenge for organizations, however that is where in light of the business environment in which they operate;
international standards can offer support. and ISO/IEC 27701 is a great example of organizations,
governmental bodies and academics bringing their knowledge
ISO/IEC 27701 is a great example of a management systems together to provide a governance framework that can support
standard that encourages organizations to put governance this.
around their personally identifiable information activities.
Author
Reviewers Disclaimer
This white paper is issued for information only. It does not constitute an
This white paper was peer reviewed by: official or agreed position of BSI Standards Ltd. The views expressed are
entirely those of the authors.
Geoffrey Goodell, Senior Research Associate, UCL CBT, All rights reserved. Copyright subsists in all BSI publications including, but
UCL Computer Science. not limited to, this white paper. Except as permitted under the Copyright,
Designs and Patents Act 1988, no extract may be reproduced, stored in a
One peer reviewer elected to remain anonymous retrieval system or transmitted in any form or by any means – electronic,
photocopying, recording or otherwise – without prior written permission
from BSI. While every care has been taken in developing and compiling
this publication, BSI accepts no liability for any loss or damage caused,
arising directly or indirectly in connection with reliance on its contents
except to the extent that such liability may not be excluded in law.
14
Buy your copy of ISO/IEC 27701 now
at: shop.bsigroup.com/bsisoiec27701
Privacy regulation
Why BSI?
BSI has been at the forefront of information security standards since 1995, having produced the world’s first standard,
BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there,
addressing the new emerging issues such as privacy, cyber and cloud security. That’s why we’re best placed to help you
Working with over 86,000 clients across 193 countries, BSI is a truly international business with skills and experience
across a number of sectors including automotive, aerospace, built environment, food, and healthcare. Through its expertise
in Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI improves business
performance to help clients grow sustainably, manage risk and ultimately be more resilient.