All ISO 27701 Guides and WPs 1695747026

ISO/IEC 27701
Privacy Information Management

Your implementation guide
What is ISO/IEC 27701?
ISO/IEC 27701 is the international standard for a Privacy Information Management System (PIMS). It’s
a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security
Controls.
It provides guidance and requirements on the protection of privacy, helping both personally identifiable
information (PII) processors and PII controllers to put robust data processes and controls in place.
This means you can demonstrate accountability for managing PII, instil trust and build strong business
relationships.
Contents
• B
enefits
• ISO/IEC 27701 clause by clause
• BSI Training Academy
• BSI Business
Improvement Software
2
What kind of organizations can benefit
from ISO/IEC 27701?
ISO/IEC 27701 is ideal for all types and sizes of organizations who want to demonstrate that they take
protecting personal information seriously.
Whether you’re a public or private company, government entity or not-for-profit organization, if your
organization is responsible for processing PII within an information security management system then
ISO/IEC 27701 is for you.
Specific organizational roles include:

• PII controllers (including those who are joint PII controllers)
• PII processors
Benefits of ISO/IEC 27701
Supports Reduces
Builds trust in compliance complexity by
managing PII with privacy integrating with
regulations ISO/IEC 27001
Facilitates
Clarifies
effective
roles and
business
responsibilities
relationships
The key requirements of
ISO/IEC 27701
Clause 1: Scope Clause 3: Terms and definitions

This sets out the requirements for the management This section provides a couple of additional definitions
system and its intended application. for important terms used throughout the standard that
are not included in ISO/IEC 27000 and ISO/IEC 29100
ISO/IEC 27701 is aimed at providing requirements
and guidance to establish, implement, maintain and
improve a privacy information management system
Clause 4: General
in the form of an extension to ISO/IEC 27001 and This clause ‘sets the scene’ for ISO/IEC 27701. It
ISO/IEC 27002. Focused on both PII controllers and PII provides an overview of the documents structure
processors who hold responsibility and accountability and indicates, at a high-level, the location of PIMS
for processing PII. specific requirements in relation to ISO/IEC 27001 and
ISO/IEC 27002
Clause 2: Normative references
Normative references are documents referred to
Clause 5: PIMS specific requirements
throughout a standard. For ISO/IEC 27701 these related to ISO/IEC 27001
include: This clause is all about extending information security
requirements from ISO/IEC 27001 to incorporate the
ISO/IEC 27000 Information security management protection of privacy.
systems – overview and vocabulary
As part of the context of the organization, you need to
ISO/IEC 27001 Information security management determine your role as a processor and/or controller
systems – requirements and consider the impact of internal and external
factors such as privacy specific regulations and
ISO/IEC 27002 Code of practice for information contractual requirements. Depending on your role,
security controls relevant controls from Annexes A and/or B need to be
implemented and applied to your existing statement of
ISO/IEC 29100 Privacy framework applicability.
4
You must also consider interested parties associated Clause 7: Additional guidance for PII
with processing PII, the scope of your PIMS and how controllers
you’ll effectively implement, maintain and continually
improve the system. This clause covers PIMS specific implementation
guidance for PII controllers. It relates to controls listed
Requirements for leadership, planning, support, in Annex A.
operation, performance evaluation and improvement
from ISO/IEC 27001 must be considered and extended For example, you need to identify the specific purposes
as appropriate to ensure the protection of privacy. In for the PII you process and have a legal basis for
particular, risks to information and processing of PII processing it to comply with relevant laws. Updates
must now be assessed and treated appropriately. should be made if the purpose for processing PII
changes or extends.
Clause 6: PIMS specific guidance Guidance also outlines considerations of special

related to ISO/IEC 27002 category data and consent requirements, privacy
impact assessment requirements to minimize risk to
This clause is all about extending information security
PII principals, contracts with PII processors and clear
guidance from ISO/IEC 27002 to incorporate the
roles and responsibilities with any joint controllers.
protection of privacy.
You should make it clear to individuals whose PII you
For example, organizations need to consider
process why and how you process it, with a contact
the additional implementation guidance around
point for any requests. Detailed guidance is included
information security policies to incorporate relevant
on consent, withdrawals and PII access, correction or
privacy statements, based on compliance, contractual
erasure. Third party obligations, handling requests and
and stakeholder requirements.
automated decision-making guidance is also provided.
Clearer guidance is provided on roles and
Finally, privacy by design for processes and systems
responsibilities in relation to PII processing. This
should consider minimum requirements for
includes awareness of incident reporting and the
collection and processing, the accuracy and quality
consequences of a privacy breach.
of PII, limitations on the amount collected based on
the purpose of processing and end of processing
Guidance to ensure consideration of PII within your
requirements.
information classification is provided. You must
understand the PII your organization processes, where
Importantly, PII sharing, transfer and disclosure
it is stored and the systems it flows through. People
guidance is outlined to help you transfer between
must also be aware of what PII is and how to recognize
jurisdictions with supporting records.
it.
More detailed implementation guidance is included

on incident management, removable media, user
access on systems and services that process PII,
cryptographic protection, re-assigning storage space
that previously stored PII, back-up and recovery of PII,
event log reviews, information transfer policies and
confidentiality agreements.
Plus, guidance in this clause encourages you to

consider PII up front before data transmission on
public networks, and as part of system development
and design.
Importantly, supplier relationships, expectations and

responsibilities need addressing.
Clause 8: Additional guidance Detailed guidance on helping your customer respond
for PII Processors to individual requests, managing temporary files
created during processing, returning, transferring or
This clause covers PIMS specific implementation disposing PII securely and appropriate transmission
guidance for PII processors. It relates to controls listed controls are included.
in Annex B.
Finally, PII sharing, transfer and disclosure guidance is
For example, customer contracts should address your detailed to address jurisdictional transfers, third-party
organization's role as a PII Processor to assist with and sub-contractor requirements and management of
customer obligations, including those of PII principals. legally binding PII disclosures.
Prior consent must be made to use PII data for
marketing and advertising purposes.
Guidance is outlined to identify and maintain the

necessary records to help demonstrate compliance
with agreed PII processing you conduct.
Annexes
A number of Annexes are included in ISO/IEC 27701. Annexes A and B are for controllers and processors
respectively, whilst annexes C – F provide additional knowledge that can support with setting up and
operating an effective PIMS.
Annex A Annex B
A list of controls for PII controllers. A list of controls for PII processors.
Not all controls will be required, however a justification Not all controls will be required, however a justification
for excluding any control is required in the statement of for excluding any control is required in the statement of
applicability applicability
Annex C Annex D
Mapping of controls for PII controllers to the Mapping of ISO/IEC 27701 clauses to GDPR articles 5 to
ISO/IEC 2900 privacy principals. 49 (except 43).
This shows an indication of how compliance to This shows how compliance to requirements and controls
requirements and controls of ISO/IEC 27701 relate to the of ISO/IEC 27701 can be relevant to fulfil obligations of
privacy principals in ISO/IEC 29100 GDPR
Annex E Annex F
Mapping of ISO/IEC 27701 clauses to: Details how to apply ISO/IEC 27701 to ISO/IEC 27001 and
ISO/IEC 27002.
• ISO/IEC 27018 requirements for PII processors in
public clouds It clearly maps the extension of information security
• ISO/IEC 29151 for additional controls and guidance terms to incorporate privacy and includes some examples
for PII controllers. for application
6
Train with BSI
BSI is a world leader in helping clients develop the knowledge and skills they need to embed excellence
in their organizations. Whether your organization is going to certify or is simply looking to implement a
privacy information management system, our training courses will help you embed the knowledge and
maximize your ISO/IEC 27701 performance.
ISO/IEC 27701 courses include:
ISO/IEC 27701 Requirements ISO/IEC 27701 Internal auditor

• One day • One day
• Learn what a PIMS is and understand the • As an existing ISO/IEC 27001 auditor, learn how to
ISO/IEC 27701 requirements conduct audits against ISO/IEC 27701
ISO/IEC 27701 Implementation

• Two days
• Get the skills to implement an ISO/IEC 27701
privacy information management system
BSI Business Improvement Software

Gain insight and deliver continual improvements
Ensure you get the most from your ISO/IEC 27701 investment with our Business Improvement Software – a
solution that can help you effectively manage your privacy information management system. With pre-
configured ISO content, it gives you the tools and information necessary to manage essential elements of
your PIMS.
The start of your ISO/IEC 27701 journey is an ideal time to implement BSI Business
Improvement Software and benefit from:
• Effective document control
• Visibility of site and certificate performance
• Ability to log, track and manage actions related to audits, incidents/events, risk and performance
• Insight into trends that help you make business decisions to drive improvement through its
customizable dashboards and reporting tools
7
Why BSI?
For over a century BSI has championed what good looks like and driven best practice
in organizations around the world. This includes the production of BS 7799, now
ISO/IEC 27001, the world’s most popular information security standard. And we haven’t
stopped there, addressing the new emerging issues such as cyber, cloud security and now
privacy with ISO/IEC 27701. That’s why we’re best placed to help you.
With the technical know-how and network of industry experts, academics and
professional bodies, we are committed to drive the privacy agenda for both organizations
and society.
About BSI
BSI/UK/1651/SC/1119/EN/GRP
BSI is the business improvement company that enables organizations to turn standards of best
practice into habits of excellence. Working with over 86,000 clients across 193 countries, it is
a truly international business with skills and experience across a number of sectors including
automotive, aerospace, built environment, food, and healthcare. Through its expertise in
Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI
Copyright © 2019, The British Standards Institution. All rights reserved.
improves business performance to help clients grow sustainably, manage risk and ultimately be
more resilient.
To learn more, please visit: bsigroup.com
Find out more

Call: +44 (0)345 080 9000
Visit: bsigroup.com
Privacy matters
Managing personal information
with ISO/IEC 27701
A BSI whitepaper for business
Privacy matters
Introduction
Digitalization, globalization and personalization of services, from booking a doctor’s appointment to internet
banking, have led to greater collection and processing of personal information than ever before. And this
trend is growing as opportunities for new services arise, and new players enter the market.
There are now so many different platforms people use as part Within Europe, the introduction of the General Data Protection
of their daily routine where personal information is collected Regulation (GDPR) provides a harmonization of data privacy
such as the growth in mobile applications, loyalty schemes, laws that reflect the realities of the digital world we now live in.
connected devices and location-based advertising. This means
we are regularly handing over our data without thinking it Many other countries, such as Korea, Australia and China, are
through, creating more data flows than ever before. And also creating data protection legislation. In anticipation of the
whether it’s dating sites, telecoms providers or public service increased regulatory environment and a need for a common
organizations, there is barely a day that goes by when you set of concepts to address the protection of personal data, the
look at the news and don’t see reference to a data breach International Organization for Standardization (ISO) and the
where personal records have been compromised. This has International Electrotechnical Commission (IEC) have taken
only increased the focus on issues surrounding the misuse of the initiative to create standards to provide such guidance.
personal information, meaning organizations cannot afford to These standards have the benefit of providing frameworks
be complacent. for assisting organizations to demonstrate personal data
protection and privacy compliance with different laws in a
Greater awareness of these issues has led to growing concern, changing regulatory landscape. Certification may also be
among both individuals and governments, around how a useful tool for organizations to add credibility to their
personal data is collected, used and protected; in response, commitment to privacy and related obligations.
some governments have proposed or enacted new regulations
aimed at providing guidelines and requirements for treatment
of personal data.
bsigroup.com
Managing personal information

Given the dynamic environment in which we operate, the need for guidance on how organizations should manage and process
data to reduce the risk to personal information is getting more important. Guidance, in the form of a new international standard, for
how organizations should manage personal information and assist in demonstrating compliance with updated privacy regulations
around the world is therefore very powerful. That’s why ISO/IEC 27701 for privacy information management has been developed.
What is ISO/IEC 27701?

This new international standard is officially called ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 and
ISO/IEC 27701 (Security techniques — Extension to ISO/IEC 27002 and provides additional guidance for the
ISO/IEC 27001 and ISO/IEC 27002 for privacy information protection of privacy, which is potentially affected by the
management — Requirements and guidelines). collection and processing of personal information. The
design goal is to enhance the existing ISMS with additional
requirements in order to establish, implement, maintain and
As many organizations have implemented an Information continually improve a Privacy Information Management System
Security Management System (ISMS) based on ISO/IEC 27001 (PIMS). The standard outlines a framework for personally
and using the guidance from ISO/IEC 27002, it’s a natural step identifiable information (PII) controllers and PII processors to
to provide guidance for the protection of privacy that builds on manage privacy controls so that risk to individual privacy rights
this strong foundation. is reduced (see Table 1). These additional requirements and
guidance are written in such a way that they are practical and
usable by organizations of all sizes and cultural environments.
Table 1 – Personal information management roles
PII Controller PII Processor

Collects personal information and determines the Processes personal information on behalf of and only
purposes for which it is processed. according to the instruction of the PII controller.
More than one organisation can act as PII controller often
known as co-controller, and this is where data-sharing
agreements may be necessary.
How ISO/IEC 27701 helps PII Controllers How ISO/IEC 27701 helps PII Processors
• Provides best practice guidance • Provides best practice guidance

• Gives transparency between PII controllers • Gives reassurance to customers that PII is
effectively managed
• Provides an effective way to manage PII processes
3
Privacy matters
ISO/IEC 27701 developing the standard

ISO/IEC 27701 was drafted by the ISO/IEC Working Group responsible for ‘Identity Management and Privacy Technologies’. Its
development was led by a BSI-nominated Project Editor and BSI was appointed by the UK Government as the National Standards
Body and represented the UK interests at both the ISO and the IEC.
It’s intended that organizations will certify to ISO/IEC 27701 as an extension to ISO/IEC 27001 management system. In other words,
organizations planning to seek an ISO/IEC 27701 certification will also need an ISO/IEC 27001 certification. This demonstrates
commitment to both information security and privacy management.
How ISO/IEC 27701 fits in

Requirements and guidance for the protection of personal An organization complying with the requirements in
information vary depending upon the context of the ISO/IEC 27701 will generate documented evidence of how it
organization and where national laws and regulations are handles the processing of personal information. This evidence
applicable. ISO/IEC 27001 requires that this context be may be used to facilitate agreements with business partners
understood and taken into account. ISO/IEC 27701 gets more where the processing of personal information is mutually
specific. It includes mappings to: relevant. This might also assist in relationships with other
stakeholders. The use of ISO/IEC 27701 in conjunction with
•• the privacy framework and principles defined in ISO/IEC 27001 can, if desired, provide independent verification
ISO/IEC 29100 of this evidence, although compliance with these documents
•• ISO/IEC 27018 and ISO/IEC 29151, which both focus on PII cannot be taken as compliance with laws and regulations.
However, all these mappings need to be interpreted to take

into account local laws and regulations. It is also worth noting
that ISO/IEC 27701 is applicable to all organizations that act
as processors, controllers or both; ISO/IEC 27018 applies
Benefits of ISO/IEC 27701
specifically to public cloud providers.
•• Gives transparency between stakeholders
•• Helps build trust
BS 10012:2017+A1:2018* is a published standard specific to
•• Provides a more collaborative approach
the UK. It provides a best practice framework for a personal
•• More effective business agreements
information management system that is aligned to the
•• Clearer roles and responsibilities
principles of the European Union (EU) GDPR. One of the key
•• Reduces complexity by integrating with
distinctions between ISO/IEC 27701 and BS 10012 is that
ISO/IEC 27001
ISO/IEC 27701 is structured so that the PIMS can be considered
an extension to ISMS requirements and controls.
ISO/IEC 27701 can be used by PII controllers (including those

*An amendment to BS10012:2017 was published 2018 (BS 10012+A1:2018).
who are joint PII controllers) and PII processors (including This amendment covers minor changes to some clauses of BS10012:2017;
those using subcontracted PII processors). these changes have been made to reflect the UK Data Protection Act 2018.
bsigroup.com
To validate that the adequate operational controls from the standard does not contain a specific 72-hour notification
standard are implemented consistently, to carry out the as required by the law. In order for the practitioners to
compliance requirements of relevant privacy regulations, demonstrate that the organization has implemented a
measures must be taken to: management system that fulfils this particular GDPR
requirement, they must show the auditors that the
1. map the relevant regulatory requirements against the organizations either have a uniform process in place that
standards controls would notify the data subjects and the privacy regulators within
2. enumerate specific regulatory requirements that are not 72 hours of breach confirmation or has a process to determine
already fully captured by the standard controls and the if the breach involves European citizens or if the breached
conditions to which the requirements become applicable data processing took place in Europe and, if so, trigger the
3. incorporate the above into the risk assessment process in notification within the required timeframe.
the audit cycle
The mapping of standard against regulations and enumerating
A good example to examine is the data breach management of unique regulatory requirements and applicable conditions
controls in ISO/IEC 27701 and the breach notification are the necessary mechanisms to which controllers and
requirements (article 33) in GDPR. By all measures, the processors can use ISO/IEC 27701 to verify regulatory
standard’s security incident management controls mapping compliance against multiple privacy regulations.
squarely with the GDPR data breach requirements. But the
5
Privacy matters
Data privacy laws

As the challenge increases for organizations to keep data personal information concerning them. These rights must also
secure and minimize the risk of a breach, it’s unsurprising be preserved in respect of data processing activities and the
to see privacy laws evolving to keep up with the changing free flow of personal information between EU Member States.
business landscape. Most notably, the EU GDPR has received The processing of data should be for the benefit of the natural
a lot of attention. persons that the data belongs to. Similar laws exist around
the world to protect the personal information and rights of
The GDPR is EU law for the preservation of fundamental rights citizens, including some sector-specific requirements such as
and freedoms that everyone has the right to the protection of healthcare, retail and banking.
Healthcare sector
As a sector that collects some of the most sensitive personal information, healthcare-specific data protection
laws are very prominent. For example, there is the French Public Health Code (Article L.1111-8) that requires
service providers who host certain types of health/medical data to be accredited for this activity. And the Health
Insurance Portability and Accountability Act in the United States sets the standard for sensitive patient data
protection and requires U.S. health plans, healthcare clearing houses and healthcare providers, or any organization
or individual who acts as a vendor or subcontractor with access to personal health information, to comply.
It is also important to highlight the European Digital Single It facilitates cross-border data processing and commerce.
Market. This is a policy, announced in 2015, that covers digital However, differences in data privacy laws across member
marketing, e-commerce and telecommunications. It aims to states of Europe were recognized as a barrier to the European
open up opportunities for people and businesses, breaking Digital Single Market being a success. Therefore, the
down existing barriers. It has three core pillars: introduction of GDPR to help harmonize data privacy across
all of Europe is a positive step change.
•• Access to online products and services
•• Conditions for digital networks and services to
grow and thrive
•• Growth of the European digital economy
bsigroup.com
Certification mechanisms to help demonstrate

compliance with data protection laws
The GDPR encourages data protection certification the other will adequately protect their customer’s data? The
mechanisms and data protection seals and marks to be risk is exacerbated as further players are involved. A marketing
established to help demonstrate compliance with the company may be contracted to target customers, perhaps
regulations of processing operations by controllers and even buying adverts on a social media platform. A cloud service
processors (GDPR (EU) 2016/679, Article 42). Plus, such might also be used by the marketing company to store and
certification or seals can be used to show that an organization process data related to this marketing campaign. Certification
has taken the right measures to handle personal information in can serve as an independent verification that will prove the
a way that aligns with the GDPR. effectiveness of the process and controls the organization uses
to assess the risk of exchanging personal information between
Consistent certification mechanisms can bring the all- organizations throughout the supply chain.
important ‘accountability’ factor into the picture, facilitating
the reduction of risk and improving the free flow of personal However, as depicted in Figure 2(a), if one organization uses
information. This helps organizations provide useful services, a certification scheme in one jurisdiction, and another is
whilst increasing transparency of the process and showing certified to a different scheme that is applicable in another
integrity to customers on the protection of personal jurisdiction, this may not provide the necessary assurance or
information as illustrated in Figure 2. level of trust to business partners that personal information
belonging to their customers is being properly treated. Given
It also brings to the surface the importance of data processing the global nature of business, a consistent and uniform
to supply chain management, as the controller is responsible assurance mechanism is required to show that organizations
for the data from cradle to grave. Consider a product such comply with regulations, protecting personal information
as a credit card that is co-branded by an airline and a bank. and providing an enabler for business growth as depicted in
Customer information from both sides would need to be Figure 2(b). A common GDPR certification recognized across
exchanged to identify which customers are likely to take jurisdictions and industry verticals is necessary to mitigate risk
up such a product. The exchange of a customer’s personal and lower barriers to trade between commercial partners.
information introduces a risk. How does each side verify that
7
Privacy matters
Figure 2 – Enabling commerce through consistent data privacy certification mechanisms.

(a) Fragmented certification between organizations.
(b) Consistent certification

bsigroup.com
This sentiment is echoed by the European Union Agency for national certification bodies and supervisory authorities under
Network and Information Security (ENISA) which recently the guidance and support of the European Commission and
published recommendations on certification for GDPR [ENISA: European Data Protection Board should pursue a common
Recommendation on European Data Protection Certification, approach on inception and deployment of GDPR certification
Version 1.0, November 2017; https://www.enisa.europa.eu/ mechanisms. They also recommend that the approach is
publications/recommendations-on-european-data-protection- scalable and uses approved and widely adopted criteria.
certification]. ENISA state that certification, seals and marks Consistency and harmonization of certification mechanisms
have a significant role to play in enabling data controllers across Europe are emphasized, and the trustworthiness
to achieve and demonstrate compliance of their processing and transparency are reinforced as important traits of the
operations with GDPR provisions. ENISA recommends that certification process.
ISO/IEC 27701 is a potential certification mechanism

ISO/IEC 27701 addresses the recommendations above, and Furthermore, the intended application of ISO/IEC 27701 is to
it’s anticipated, could be used as the basis of a certification augment the existing ISMS with privacy-specific controls and
mechanism (as stipulated by Article 42). If used in such a way, create a PIMS that enables effective privacy management
it would provide the necessary proof that an organization within an organization. With a well-established network of
treats the personal information of its customers in compliance auditors providing certification against ISO/IEC 27001, which is
with the law, including for the case of cross-border data flows. commonly accepted as a successful standard for information
ISO/IEC 27701 is applicable to organizations of all sizes and security, ISO/IEC 27701 is in a very good position to be
cultural environments. It is for the collection and processing integrated into existing audit processes.
PII of both employees and customers. The set of controls
being developed extends technical measures for implementing ISO/IEC 27701 was developed through recognized consensus-
information security to also address privacy requirements and, driven processes; this is one of the key tasks in developing the
if implemented by an organization, can assist in demonstrating standard. There has been input and review from a range of
compliance with data privacy laws such as GDPR. industry and regulatory stakeholders; this includes participation
and review by the European Data Protection Board (previously,
Therefore, demonstrating compliance with the controls in the Article 29 Working Party), consisting of Data Protection
ISO/IEC 27701 and generating the required documentation as Authorities (DPA) from all EU countries. DPAs, as well as
evidence of how an organization handles PII can: accreditation bodies for auditors, will need to be satisfied that
a certification mechanism based on ISO/IEC 27701 adequately
•• significantly reduce compliance workloads by negating the assists organizations from all industry sectors and of all
need to support multiple certifications sizes to demonstrate compliance with privacy regulations.
•• increase trust between organizations and customers by Additionally, a certification mechanism must address the needs
demonstrating compliance with data privacy laws of controllers and processors, both of which have numerous
•• generate evidence that Data Protection Officers can provide controls defined for them in ISO/IEC 27701.
to senior management and board members to show their
progress in privacy regulatory compliance
•• increase the opportunities for business and commerce
through the EU Digital Single Market and cross-border
data flows
9
Privacy Matters
Importance of stakeholder engagement

As previously mentioned above, ISO/IEC 27701 is an extension their roles. By already working with the existing ISO/IEC 27001
to ISO/IEC 27001, and the standard is structured in the ISO ISMS, all these stakeholders will be in a very good position to
management systems convention (commonly referred to work with ISO/IEC 27701. They all share common objectives
as ‘Annex SL’), allowing multiple management systems to be on personal information management and the need for a
implemented more efficiently by an organization. Figure 3 recognized approach to show it is being taken seriously, which
shows the landscape of stakeholders and the importance of is where the role of ISO/IEC 27701 comes in.
Figure 3 – Stakeholder landscape for certification based on ISO/IEC 27701 (source: Microsoft).
Implement PIMS
Processors
Help the DPA and National
accreditation authorities carry
out GDPR articles 42 and 43
Consultants
Common objectives Implement PIMS
• Demonstrate the visibility of PIMS in scale across the market.
Controllers
• Encourage to adopt pan-European GDPR certification.
• Demonstrate to the market that PIMs holds up as a
comprehensive GDPR evidence set.
Provide a network of accredited

Initiate and carry out Auditors and Consultants to assure
certification processes consistent baseline across Europe
Auditors DPAs and the World
bsigroup.com
Conclusions
To conclude, managing personal information in compliance with the evolving regulatory
landscape is complex but cannot be ignored. The protection of an individual’s personal
information is one of their fundamental human rights. Laws exist around the world to
protect these rights in an environment where business and data related to personal lives
are becoming increasingly globalized. The European GDPR has been introduced to ensure
that collection and processing of PII are conducted lawfully, and it supports the cross-
border data flows required to enable the EU Digital Single Market.
The European GDPR recognizes that certification mechanisms for demonstrating

compliance with regulations go a long way to increasing trust in how organizations
treat personal data, whilst creating business opportunities through providing assurance
between organizations. This is especially true if certification is implemented consistently
between EU member states and beyond the borders of Europe to enable global
commerce and business.
The introduction of ISO/IEC 27701 is a necessary addition to the existing standards

portfolio. Implementing the controls specified in ISO/IEC 27701 should enable an
organization to document evidence on of how it handles the processing of personal
information. Such evidence may be used to facilitate agreements with business partners
where the processing of personal information is mutually relevant and in the event
of gaining a widely accepted certification mechanism, can assist in demonstrating
compliance with data protection laws such as GDPR.
11
Privacy Matters
Why BSI?
BSI has been at the forefront of information security standards since 1995, having produced the world’s first standard,
BS 7799, now ISO/IEC 27001, the world’s most popular information security standard. And we haven’t stopped there,
addressing the new emerging issues such as privacy, cyber and cloud security. That’s why we’re best placed to help you
Working with over 86,000 clients across 193 countries, BSI is a truly international business with skills and experience
across a number of sectors including automotive, aerospace, built environment, food, and healthcare. Through its expertise
in Standards Development and Knowledge Solutions, Assurance and Professional Services, BSI improves business
performance to help clients grow sustainably, manage risk and ultimately be more resilient.
Our products and services
© 2019 The British Standards Institution. All Rights Reserved.

Knowledge Assurance Compliance
The core of our business centres on Independent assessment of the To experience real, long-term benefits,
the knowledge that we create and conformity of a process or product our clients need to ensure ongoing
impart to our clients. to a particular standard ensures that compliance to a regulation, market
In the standards arena we continue our clients perform to a high level need or standard so that it becomes
to build our reputation as an expert of excellence. We train our clients an embedded habit. We provide a
body, bringing together experts from in world-class implementation and range of services and differentiated
industry to shape standards at local, auditing techniques to ensure they management tools which help
regional and international levels. maximize the benefits of standards. facilitate this process.
In fact, BSI originally created eight
of the world’s top 10 management
system standards.
Find out more about

ISO/IEC 27701 with BSI
Call 0345 080 9000
BSI UK
389 Chiswick High Road
or visit bsigroup.com/iso27701-UK
London W4 4AL
United Kingdom
T: +44 345 086 9001
E: cservices@bsigroup.com
bsigroup.com
ISO/IEC 27701 Privacy Information Management
System
Accountability and trust for personal information
Protecting personally identifiable information (PII) has never been so important. Individual privacy rights allow people to decide
how their personal data is managed and increasingly organizations have a legal obligation to respond.
Where the quantity of sensitive information has multiplied and the use of technology makes it easier to transfer and more readily
available, organizations need to respond. And that’s where ISO/IEC 27701 can help.
What are the benefits of ISO/IEC 27701?

ISO/IEC 27701 is a privacy extension to ISO/IEC 27001 Information Security Management and ISO/IEC 27002 Security Controls.
An international standard for a privacy information management system (PIMS), it provides guidance on the protection of
privacy, including how organizations should manage personal information, and assists in demonstrating compliance with privacy
regulations around the world.
It helps both PII processors and PII controllers to put robust data processes and controls in place, which means you can not only
demonstrate accountability for managing PII but instil trust and build strong business relationships.
Strategic governance PII between different organizations and countries needs clear
agreements, as well as defined roles and responsibilities.
Organizations need the agility to respond to
changing technologies and associated regulations.
ISO/IEC 27701 requires processes to be agreed and provides
That’s where top management engagement and
guidance on the different roles and responsibilities for
alignment with your organization’s strategy is key.
processors and controllers to help facilitate relationships.
ISO/IEC 27701 provides a governance framework for
managing PII. It builds upon internationally recognized An integrated approach
information security governance, and both require top
management engagement. ISO/IEC 27701 has been developed to minimize the
complexity of multiple stand-alone systems. It extends
ISO/IEC 27001 for information security and uses the ISO
Privacy compliance high level structure (HLS) that brings a common framework
to all management systems.
Privacy laws and regulations differ between country and
state. They focus on an individual’s nationality, as well By implementing a PIMS, you not only gain great
as where they live, which can add a layer of complexity effectiveness and efficiencies with your information
for organizations who operate in a global context. security management, but you can integrate with other
popular systems such as ISO 22301 business continuity
ISO/IEC 27701 requires the context of PII processing to management.
be understood and accounted for to ensure organizations
respond to all relevant jurisdictional differences.
At BSI we have the experience, the

Relationship management experts and the support services to help
It’s never been so important for alignment between business
partners and stakeholders. The transfer of data and sharing of
you get the most from ISO/IEC 27701.
ISO/IEC 27701 certification journey
Whether you’re new to privacy management or looking to enhance an existing information security and privacy system, certification to
ISO/IEC 27701 provides confidence and trust in the way you manage privacy. It demonstrates you have taken accountability for processing
PII in a secure and compliant way. No matter where you are in your journey, our team are on hand to support.
Surveillance
audits
Privacy Privacy
Information Stage two Information
Stage one
Management Application certification Audit report Certification Management
assessment audit
System audit continuous
development development
Get a copy of the Optional gap

standard assessment Corrective
Onsite actions
Management system software

Capture and manage your audits, findings, incidents and risks
Our ISO/IEC 27701 journey builds upon ISO/IEC 27001 certification. If you’re certified to ISO/IEC 27001, talk to us about the option of
combined audit days.
Why BSI?
Privacy information management training courses For over a century BSI has
championed what good
Get the skills to maximize ISO/IEC 27701 Our courses include: looks like and driven best
for your organization. practice in organizations around the world.
• ISO/IEC 27701 Requirements –
Our training courses will help you one day introduction This includes the production of BS 7799,
understand the ISO/IEC 27701 standard now ISO/IEC 27001, the world’s most
and the agreed terms and definitions. • ISO/IEC 27701 Implementation – popular information security standard.
You can build on this knowledge to learn two day implementation techniques And we haven’t stopped there, addressing
how to implement or audit a PIMS so it the new emerging issues such as cyber,
• ISO/IEC 27701 Internal auditor –
delivers value for your organization. cloud security and now privacy with
one day course for existing
ISO/IEC 27001 auditors to learn ISO/IEC 27701. That’s why we’re best
ISO/IEC 27701 auditing techniques placed to help you.
With the technical know-how and network
Our courses use a high-impact,
of industry experts, academics and
accelerated learning approach, proven to
professional bodies, we are committed
enhance knowledge retention and skill
to drive the privacy agenda for both
application.
organizations and society.
For more information on

ISO/IEC 27701 from BSI
please contact your local office.
Details available at: bsigroup.com
ISO/IEC 27701 International Privacy Information Management System

August 2019
ISO/IEC 27701 Privacy Information Management

Comparing ISO/IEC 27701 and BS 10012
Mapping guide
Privacy Information Management - comparing ISO/IEC 27701 and BS 10012
Mapping ISO/IEC 27701 to BS 10012:2017

BS ISO/IEC 27701:2019 Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
-- Requirements and guidelines specifies requirements and provides guidance for establishing, implementing,
maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an
extension to information security standards BS EN ISO/IEC 27001 and BS EN ISO/IEC 27002.
It’s the first international management system standard to help organizations manage personally identifiable
information and respond to jurisdictional differences in privacy regulations globally. However, BS 10012 Data
protection - Specification for a personal information management system is a British standard aligned to the
GDPR and UK Data Protection Act 2018 that’s used by organizations globally to put processes and controls in
place to manage personal information.
This guide shows how the different clauses in ISO/IEC 27701 map to the clauses in BS 10012. It’s designed
for guidance purposes only and aims to help you understand the degree of correspondence between the two
standards and the different ways they express privacy requirements.
ISO/IEC 27701 ISO/IEC 27701 topic BS 10012 topic BS 10012

clause clause
5.2.1 Understanding the organization and its Understanding the organization and its 4.1
context context
5.2.2 Understanding the needs and Understanding the needs and expectations 4.2
expectations of interested parties of interested parties
5.2.3 Determining the scope of the Determining the scope of the personal 4.3
information security management information management system
system
5.2.4 Information security management Personal information management system 4.4
system
5.3.1 Leadership and commitment Leadership and commitment 5.1
5.3.2 Policy Policy 5.2
5.3.3 Organizational roles, responsibilities and Organizational roles, responsibilities and 5.3
authorities authorities
5.4.1 Actions to address risks and Actions to address risks and opportunities 6.1
opportunities
5.4.2 Information security objectives and Embedding the PIMS in the organization's 5.4
planning to achieve them culture
PIMS objectives and planning to achieve 6.2
them
5.5.1 Resources Resources 7.1
5.5.2 Competence Competence 7.2
5.5.3 Awareness Awareness 7.3
2
bsigroup.com

clause clause
5.5.3 Awareness Awareness 7.3
5.5.4 Communication Communication 7.4
5.5.5 Documented information Documented information 7.5
5.6.1 Operational planning and control Operational planning and control 8.1
5.6.2 Information security risk assessment Risk assessment and treatment 8.2.3
5.6.3 Information security risk treatment Risk assessment and treatment 8.2.3
5.7.1 Monitoring, measurement, analysis and Keeping PIMS up to date 8.2.5

evaluation
Maintenance 8.2.13
Monitoring, measurement, analysis and 9.1
evaluation
5.7.2 Internal audit Internal audit 9.2
5.7.3 Management review Management review 9.3
5.8.1 Nonconformity and corrective action Nonconformity and corrective action 10.1
Preventative actions 10.2
5.8.2 Continual improvement Continual improvement 10.3
3

clause clause
6.2.1 Management direction for Policy 5.2

information security
6.3.1 Internal organization Embedding the PIMS in the 5.4
organization's culture
Key appointments 8.2.1
6.3.2 Mobile devices and teleworking Security issues 8.2.11
6.4.1 Prior to employment Training and awareness 8.2.4
6.4.2 During employment Training and awareness 8.2.4
6.4.3 Termination and change of Training and awareness 8.2.4

employment
6.5.1 Responsibility for assets Identifying and recording uses of 8.2.2
personal information
6.5.2 Information classification Identifying and recording uses of 8.2.2
6.5.3 Media handling Security issues 8.2.11
6.6.1 Business requirements of access Security issues 8.2.11

control
6.6.2 User access management Security issues 8.2.11
6.6.3 User responsibilities Security issues 8.2.11
6.6.4 System and application access Security issues 8.2.11

control
6.7.1 Cryptographic controls Security issues 8.2.11
6.8.1 Secure areas Security issues 8.2.11
6.8.2 Equipment Security issues 8.2.11
6.9.1 Operational procedures and Operational planning and control 8.1

responsibilities
6.9.2 Protection from malware Security issues 8.2.11
6.9.3 Backup Security issues 8.2.11
6.9.4 Logging and monitoring Security issues 8.2.11
6.9.5 Control of operational software Security issues 8.2.11
6.9.6 Technical vulnerability management Security issues 8.2.11
6.9.7 Information systems audit Internal audit 9.2

considerations
6.10.1 Network security management Security issues 8.2.11
4
bsigroup.com

clause clause
6.10.2 Information transfer Security issues 8.2.11
6.11.1 Security requirements of Security issues 8.2.11

information systems
6.11.2 Security in development and support Security issues 8.2.11
processes
6.11.3 Test data Security issues 8.2.11
6.12.1 Information security in supplier Security issues 8.2.11

relationships
6.12.2 Supplier service delivery Security issues 8.2.11
management
6.13.1 Management of information security Security issues 8.2.11
incidents and improvements
6.14.1 Information security continuity Maintenance 8.2.13
6.14.2 Redundancies Maintenance 8.2.13
6.15.1 Compliance with legal and Fair, lawful and transparent processing 8.2.6
contractual requirements
6.15.2 Information security reviews Fair, lawful and transparent processing 8.2.6
7.2.1 Identify and document purpose Identifying and recording uses of 8.2.2
personal information 8.2.7
Processing for specific legitimate
purposes
7.2.2 Identify lawful basis Fair, lawful and transparent processing 8.2.6
7.2.3 Determine when and how consent is Fair, lawful and transparent processing 8.2.6
to be obtained
7.2.4 Obtain and record consent Fair, lawful and transparent processing 8.2.6
7.2.5 Privacy impact assessment Actions to address risks and 6.1

opportunities 8.2.3
Risk assessment and treatment
7.2.6 Contracts with PII processors Security issues 8.2.11
7.2.7 Joint PII controller Risk assessment and treatment 8.2.3
7.2.8 Records related to processing PII Identifying and recording uses of 8.2.2
7.3.1 Determining and fulfilling obligations Fair, lawful and transparent processing 8.2.6
to PII principals
Rights of natural persons 8.2.12
7.3.2 Determining information for PII Fair, lawful and transparent processing 8.2.6
principals
5
ISO/IEC 27701 ISO/IEC 27701 topic BS 10012 topic

clause
7.3.3 Providing information to PII Fair, lawful and transparent processing 8.2.6
principals
7.3.4 Providing mechanism to modify or Fair, lawful and transparent processing 8.2.6
withdraw consent
7.3.5 Providing mechanism to object to PII Rights of natural persons 8.2.12
processing
7.3.6 Access, correction and/or erasure Accuracy 8.2.9
7.3.7 PII controllers' obligations to inform Rights of natural persons 8.2.12

third parties
7.3.8 Providing copy of PII processed Rights of natural persons 8.2.12
7.3.9 Handling requests Rights of natural persons 8.2.12
7.3.10 Automated decision making Rights of natural persons 8.2.12
7.4.1 Limit collection Actions to address risks and 6.1

opportunities
Adequate, relevant and in line with data 8.2.8
minimization principals
7.4.2 Limit processing Actions to address risks and 6.1
opportunities
Adequate, relevant and in line with data 8.2.8
7.4.3 Accuracy and quality Accuracy 8.2.9
7.4.4 PII minimization objectives Adequate, relevant and in line with data 8.2.8
7.4.5 PII de-identification and deletion at Retention and disposal 8.2.10
the end of processing
7.4.6 Temporary files Security issues 8.2.11
7.4.7 Retention Retention and disposal 8.2.10
7.4.8 Disposal Retention and disposal 8.2.10
7.4.9 PII transmission controls Security issues 8.2.11
7.5.1 Identify basis for PII transfer Security issues 8.2.11

between jurisdictions
7.5.2 Countries and international Security issues 8.2.11
organizations to which PII can be
transferred
7.5.3 Records of transfer of PII Security issues 8.2.11
7.5.4 Records of PII disclosure to third Security issues 8.2.11

parties
6
bsigroup.com

clause clause
8.2.1 Customer agreement Security issues 8.2.11
8.2.2 Organization's purposes Security issues 8.2.11
8.2.3 Marketing and advertising use Security issues 8.2.11
8.2.4 Infringing instruction Security issues 8.2.11
8.2.5 Customer obligations Security issues 8.2.11
8.2.6 Records related to processing PII Security issues 8.2.11
8.3.1 Obligations to PII principals Fair, lawful and transparent processing 8.2.6
8.4.1 Temporary files Retention and disposal 8.2.10
8.4.2 Return, transfer or disposal of PII Retention and disposal 8.2.10
8.4.3 PII transmission controls Security issues 8.2.11
8.5.1 Basis for PII transfer between Security issues 8.2.11

jurisdictions
8.5.2 Countries and international Security issues 8.2.11
transferred
8.5.3 Records of PII disclosure to third Security issues 8.2.11
parties
8.5.4 Notification of PII disclosure Security issues 8.2.11
requests
8.5.5 Legally binding PII disclosures Security issues 8.2.11
8.5.6 Disclosures of subcontractors used to Security issues 8.2.11

process PII
8.5.7 Engagement of a subcontractor to Security issues 8.2.11
process PII
8.5.8 Change of subcontractor to process Security issues 8.2.11
PII
Mapping BS 10012:2017 to ISO/IEC 27701

BS 10012 BS 10012 topic ISO/IEC 27701 topic ISO/IEC 27701
clause clause
4.1 Understanding the organization and Understanding the organization and its 5.2.1
its context context
4.2 Understanding the needs and Understanding the needs and 5.2.2
expectations of interested parties expectations of interested parties
4.3 Determining the scope of the Determining the scope of the 5.2.3
personal information management information security management
system system
4.4 Personal information management Information security management 5.2.4
system system
5.1 Leadership and commitment Leadership and commitment 5.3.1
5.2 Policy Policy 5.3.2
Management direction for information 6.2.1

security
5.3 Organizational roles, responsibilities Organizational roles, responsibilities and 5.3.3

and authorities authorities
Internal organization 6.3.1
5.4 Embedding the PIMS in the Information security objectives and 5.4.2
organization's culture planning to achieve them
6.1 Actions to address risks and Actions to address risks and 5.4.1
opportunities opportunities
Privacy impact assessment 7.2.5
Limit collection 7.4.1

Limit processing 7.4.2
6.2 PIMS objectives and planning to Information security objectives and 5.4.2
achieve them planning to achieve them
7.1 Resources Resources 5.5.1
7.2 Competence Competence 5.5.2
7.3 Awareness Awareness 5.5.3
7.4 Communication Communication 5.5.4
8
bsigroup.com

clause clause
7.5 Documented information Documented information 5.5.5
8.1 Operational planning and control Operational planning and control 5.6.1
Operational procedures and 6.9.1
responsibilities
8.2.1 Key appointments Organizational roles, responsibilities and 5.3.3
authorities
8.2.2 Identifying and recording uses of Responsibility for assets 6.5.1
Information classification 6.5.2
Identify and document purpose 7.2.1
Records related to processing PII 7.2.8

8.2.3 Risk assessment and treatment Information security risk assessment 5.6.2
Information security risk treatment 5.6.3
Privacy impact assessment 7.2.5
Joint PII controller 7.2.7

8.2.4 Training and awareness Prior to employment 6.4.1
During employment 6.4.2
Termination and change of employment 6.4.3

8.2.5 Keeping PIMS up to date Monitoring, measurement, analysis and 5.7.1
evaluation
8.2.6 Fair, lawful and transparent Compliance with legal and contractual 6.15.1
processing requirements
Information security reviews 6.15.2
Identify lawful basis 7.2.2
Determine when and how consent is to 7.2.3

be obtained
Obtain and record consent 7.2.4
Determining and fulfilling obligations to 7.3.1
PII principals
Determining information for PII 7.3.2
principals
Providing information to PII principals 7.3.3
Providing mechanism to modify or 7.3.4
withdraw consent
Obligations to PII principals 8.3.1
8.2.7 Processing for specific legitimate Identify and document purpose 7.2.1
purposes
9
Privacy Information Management - comparing ISO/IEC 27701 and BS 10012 bsigroup.com

clause clause
8.2.8 Adequate, relevant and in line with Limit collection 7.4.1

data minimization principals
Limit processing 7.4.2
PII minimization objectives 7.4.4
8.2.9 Accuracy Access, correction and/or erasure 7.3.6
Accuracy and quality 7.4.3
8.2.11 Security issues Mobile devices and teleworking 6.3.2
Media handling 6.5.3
Business requirements of access control 6.6.1
User access management 6.6.2
User responsibilities 6.6.3
System and application access control 6.6.4
Cryptographic controls 6.7.1
Secure areas 6.8.1
Equipment 6.8.2
Protection from malware 6.9.2
Backup 6.9.3
Logging and monitoring 6.9.4
Control of operational software 6.9.5
Technical vulnerability management 6.9.6
Network security management 6.10.1
Information transfer 6.10.2
Security requirements of information 6.11.1
systems
Security in development and support 6.11.2
processes
Test data 6.11.3
Information security in supplier 6.12.1
relationships
Supplier service delivery management 6.12.2
Management of information security 6.13.1
incidents and improvements
Contracts with PII processors 7.2.6
Temporary files 7.4.6
PII transmission controls 7.4.9
Identify basis for PII transfer between 7.5.1
jurisdictions
Countries and international 7.5.2
transferred
Records of transfer of PII 7.5.3
Records of PII disclosure to third parties 7.5.4
Customer agreement 8.2.1
Organization's purposes 8.2.2
10
bsigroup.com

clause clause
8.2.11 (continued) Security issues (continued) Marketing and advertising use 8.2.3
Infringing instruction 8.2.4
Customer obligations 8.2.5
Records related to processing PII 8.2.6
PII transmission controls 8.4.3
Basis for PII transfer between 8.5.1
jurisdictions
Countries and international 8.5.2
transferred
Records of PII disclosure to third parties 8.5.3
Notification of PII disclosure requests 8.5.4
Legally binding PII disclosures 8.5.5
Disclosures of subcontractors used to 8.5.6
process PII
Engagement of a subcontractor to 8.5.7
process PII
Change of subcontractor to process PII 8.5.8
8.2.12 Rights of natural persons Determining and fulfilling obligations to 7.3.1
PII principals
Providing mechanism to object to PII 7.3.5
processing
PII controllers' obligations to inform 7.3.7
third parties
Providing copy of PII processed 7.3.8
Handling requests 7.3.9
Automated decision making 7.3.10

8.2.13 Maintenance Monitoring, measurement, analysis and 5.7.1
evaluation
Information security continuity 6.14.1
Redundancies 6.14.2
9.1 Monitoring, measurement, analysis Monitoring, measurement, analysis and 5.7.1

and evaluation evaluation
9.2 Internal audit Internal audit 5.7.2
Information systems audit 6.9.7

considerations
9.3 Management review Management review 5.7.3
10.1 Nonconformity and corrective action Nonconformity and corrective action 5.8.1
10.2 Preventative actions Nonconformity and corrective action 5.8.1
10.3 Continual improvement Continual improvement 5.8.2
11
Why BSI?

system standards.
Find out more about

ISO/IEC 27701 with BSI
Call 0345 080 9000
BSI UK
or visit bsigroup.com/iso27701-UK
London W4 4AL
United Kingdom
T: +44 345 086 9001
bsigroup.com
Privacy regulation
Understanding the role
of ISO/IEC 27701
By Kieran McDonagh, Riskscape Law Ltd
A white paper
Privacy regulation
Contents
Introduction 3
The European privacy landscape 4
The role of ISO/IEC 27701 4
The benefits of the standard 5
Key concepts 7
Overview of the privacy regulation landscape 10
ePrivacy regulation challenges AdTech business model 11
Competition law challenges for those processing
large datasheets 12
Online harm from personal data posted online 12
Implementing privacy and information security
standards 13
Privacy governance 13
Conclusion 14
2
bsigroup.com
Introduction
The privacy of individuals’ personal data is very topical. An organization must carefully consider how to
handle the personal information of customers, employees, visitors and neighbours; for many organizations
this is a challenge. The application of the GDPR (General Data Protection Regulation) in May 2018 meant that
all organizations, no matter where they were based, now have to comply with the GDPR if they handle the
personal data of citizens of the EU. Beyond the EU, at least 132 countries now have a privacy law in place.
Organizations that transfer personal data between these countries must take each relevant law into account
when considering controls to protect privacy.
Implementing and monitoring controls to support compliance Security Management System (ISMS) to address privacy
with such laws can be a complex challenge. To make this more requirements.
manageable, having standards in place can give organizations
more confidence in the steps they have taken in fulfilling This white paper sets out an overview on regulations related to
regulatory compliance. Such standards include ISO/IEC 27701 privacy, the role ISO/IEC 27701 can play and what this means
which is an internationally agreed standard that enables for businesses and consumers.
organizations to extend their existing ISO/IEC 27001 Information
The European privacy landscape

The personal data of millions of European consumers have The GDPR sets out the types of controls that must be in place
been protected by law through the GDPR since 25 May 2018. if the privacy of individuals’ personal data is to be protected.
All organizations, of whatever size, that handle personal data When reviewing how personal data is processed, the GDPR
must be compliant with the GDPR, or with a local law that requires an assessment of whether such processing represents
incorporates the GDPR. For example, in the UK this means a high risk to the rights and freedoms of the individuals whose
complying with the Data Protection Act 2018 (DPA 2018). personal data is being processed. This assessment needs to
be applied in many different circumstances where personal
The EU’s Charter of Fundamental Rights, which was given data is processed. Some organizations have found it difficult to
legal power through the Treaty of Lisbon in 2009, includes assess these risks and have sought advice and guidance from
individuals’ right to privacy. The GDPR is built on this right regulators about how to carry out this assessment.
to privacy, and so requires that privacy must be taken into
account when individuals’ personal data is collected, analysed,
shared, stored and deleted (collectively ‘processed’). The GDPR
includes a series of principles that require the processing of
personal data to be:
• processed lawfully, fairly and transparently for the

individual
• collected for specific purposes and not reused for other
purposes
• minimized in its collection and processing
• kept up to date
• stored for the shortest time possible
• secured against unauthorized processing, and loss,
destruction or damage
3
Privacy regulation
The role of ISO/IEC 27701

The ISO/IEC 27701 standard extends the ISO/IEC 27001 The standard identifies controls that must be in place to allow
ISMS to incorporate privacy requirements. Since many the management of personal data, or Personally Identifiable
organizations already have an ISO/IEC 27001 ISMS, it reduces Information (PII) to be systematic and transparent. It sets out
the complexities around establishing a Privacy Information controls that are required if the organization is acting as a
Management System (PIMS), since the ground has already been controller or a processor of PII.
laid. Those organizations familiar with ISO/IEC 27001 will be
able to extend their ISMS to address privacy and support them Controls in the standard cover the entire life cycle of PII
in GDPR compliance, as well as other privacy laws, by providing collection, analysis, sharing, storage and deletion. The individual,
a means to demonstrate commitment to privacy information which the PII relates to, is placed at the centre of these controls,
management. just as the GDPR requires.
4
bsigroup.com
The benefits of the standard
Global consistency and, when coupled with an internal or external assessment,

it provides a tight framework for co-ordinating compliance
Organizations often operate in more than one country and so activities. This helps avoid distractions and digressions
have many privacy and information security requirements from on peripheral issues, ensuring a focus on achieving and
different jurisdictions. By using an internationally recognized maintaining compliance.
standard, the organization can gather all the requirements
together so that only one set of actions is needed to help Using a standard as part of a programme management
achieve and maintain compliance. This is particularly important discipline can help different departments, geographies and
when organizations transfer PII across borders where different technical functions to work together on a single transparent set
laws and control requirements exist on either side of the of requirements. This is essential if cross-border data transfers
border. are to be controlled in more than one country.
Also, using a project delivery approach means that simple

metrics can be used to explain progress to senior management
Stakeholder management in a way that gives credibility to the work of achieving and
A standard can also provide a structure to incorporate the maintaining compliance. Providing senior management a
additional requirements set by the organization’s stakeholders simple view of the progress towards privacy and information
such as the Board or customer representatives. security compliance is essential for the management of the
legal risks associated with new laws such as the GDPR. This
A standardized approach for privacy and information security is particularly the case as fines for non-compliance can be
compliance, based on a best practice standard, provides a measured in the millions.
clearly signposted beginning, middle and end to a compliance
programme. Meeting the requirments of a standard can be
used to support the business case for achieving or maintaining Internal education
compliance, helping to make the issue tangible for senior
management. Strong stakeholder buy-in is an essential element A standard document can also be used to educate non-
in the success of such a programme. specialists in the technical discipline of the standard. It can also
help to structure training programmes that provide awareness
training across the organization, as well as accredit technical
Programme management staff as experts in their field. Privacy and information security
controls must be successfully implemented and followed by
An organization that insists that any capital expenditure is every member of staff, consultants, contractors, visitors and
managed through a formal project can also use a standard as third parties if an organization is to be compliant. Each group
a framework for programme management, incorporating the needs specific training programmes aligned to their needs
risk assessment, mitigation and monitoring activities of both to ensure that they are fully aware of their responsibilities
change and ‘business as usual’ activities. and how to operate controls effectively. A standard provides
a framework that allows training programmes to be
Programmes often use a formal process for identifying comprehensive, while sharing common messages across
requirements and project objectives that together can add real different groups.
value. A standard provides a structure for doing precisely this
5
Privacy regulation
Assurance Proactive approach

A standard can also be used to provide a framework for No matter how many privacy and information security controls
testing controls and providing assurance on privacy and are in place, organizations will still be at risk of experiencing a
information security using successful test results. It helps data breach. Where an organization complies with a standard,
establish requirements that translate into control objectives but nonetheless suffers a privacy or information security
and can support the identification of particular controls that breach, the organization can claim that they suffered the
an organization must have in place to comply with privacy and breach despite compliance with a best practice standard.
information security requirements. Tests of the controls can The alternative is that they cannot demonstrate their best
then be planned, carried out and reported to provide assurance endeavours to comply, putting them at risk.
to internal and external stakeholders. A standard allows this
workflow to be organized systematically and to be managed as When reporting such a breach to the relevant regulators, being
a project to meet senior management objectives. compliant with a recognized standard can provide assurance
to the regulators that controls are organized systematically
Demonstrating the achievement and maintenance of and can be strengthened easily following the breach. Without
compliance with a recognized standard can help to provide demonstrating compliance with a standard, organizations
assurance to internal and external stakeholders such as may need to do more to convince regulators that they have a
regulators and suppliers throughout the supply chain. Both will mature control environment and that it takes compliance with
insist on assurance from an organization on their compliance privacy and information security requirements seriously.
with privacy and information security requirements, with
suppliers needing this before accepting components or Discussions with regulators in these situations can often
services. This requirement is becoming an increasingly involve sanctions. The organization can use their compliance
important part of supply chain assurance. A standard with a recognized standard as a mitigating factor in argument
provides a baseline of controls that allows both upstream and against sanctions or fines. As fines under the GDPR can be
downstream supply chain partners to understand the risks of significant, up to four per cent of annual global turnover, the
sharing information, and allows them to mitigate any residual return on investment on complying with a recognized standard
risks by implementing additional controls over their data could be very positive.
transfers.
6
bsigroup.com
Key concepts
The language of privacy and information security requirements can seem daunting to those new to the field. However, help is
available as defining key concepts is central to the work of creating international standards. Some definitions will be widely
accepted by practitioners, while others will be disputed, sometimes indefinitely. Nonetheless, standards present an internationally
recognized definition of key concepts that practitioners can use in their day-to-day work of implementing controls. ISO/IEC 27701
and associated standards define many of the key concepts that a compliance programme in privacy and information security
requires. Some of these key concepts are described below.
Definition: Personally Identifiable Definition: Privacy

Information (PII) ‘Privacy’ can be considered as the term that describes
ISO/IEC 27701:2019 uses the vocabulary common the end result of adequate controls over the
to the suite of ISO 2700x standards that cover ‘processing’ of PII. Section 2.22 of ISO/IEC 29100:2011
information security and associated controls. It includes the definition of a privacy stakeholder as a
uses the term Personally Identifiable Information PII principle or individual that can be affected by a
(PII) to describe the information assets that must be decision or activity related to the processing of PII.
protected and managed when providing security and Privacy can therefore be defined as the prevention of
privacy for a PII principle or individual. adverse impacts on PII principles or individuals as a
result of the processing of PII.
PII is defined in section 2.9 of ISO/IEC 29100:2011 as

information that can be used, on its own or combined with The GDPR does not define privacy, but states as its objective
other linked information, to identify a PII principle or individual. in Article 1, as the protection of the fundamental rights and
This term is most often used in US Federal Laws such as the freedoms of individuals with regard to the processing of
Health Insurance Portability and Accountability Act (HIPPA), personal data, and in particular their right to the protection of
which helps protect medical records and other personal health their personal data.
information. So, for example, an individual’s IP address is not in
itself PII. However, if it is reasonably possible to combine with The risk to privacy of PII is defined in section 2.19 of
other linked information, such as names in IP allocation tables, ISO/IEC 29100:2011 as the effect of gaps in information about
then this becomes PII. an event, its likelihood or consequence for the privacy of PII.
Sensitive PII is defined in section 2.26 of ISO/IEC 29100:2011 Privacy controls are defined in section 2.14 of I
as PII that contains information related to the most intimate SO/IEC 29100:2011 as organizational, physical and technical
details about a PII principle or individual, or whose impact on measures that treat privacy risks by reducing their likelihood
the individual, if disclosed, would be significant. or consequence.
Personal data – EU terminology

In the EU, the term ‘personal data’ has been used in the GDPR.
‘Personal data’ is defined in Article 4 as any information relating
to an individual that, using reasonable means, allows them to
be identified. So, for example, profiling an individual through
their IP address, even though their name may not be disclosed,
will make this information ‘personal data’.
In the EU, special categories of personal data are defined in

Article 5 of the GDPR as revealing the most sensitive details
about an individual, which might prevent them exercising
their rights and freedoms under the Charter of Fundamental
Rights of the EU. For example, information about an individual’s
racial or ethnic origins, religious beliefs or sexual orientation
would be considered a special category of personal data. The
GDPR would then require this information be protected using
additional privacy controls.
7
Privacy regulation
The GDPR defines a principle of information security for

Definition: Information security personal data in Article 5. It requires the use of appropriate
technical or organizational measures to protect personal data
Privacy is impossible without adequate information against unauthorized or unlawful processing and against
security. Adequate information security is necessary accidental loss, destruction or damage.
for privacy of PII but is not by itself sufficient. Section 3.28 ISO/IEC 29000:2018 notes that other properties
Preventing the disclosure, loss or corruption of PII of information security, such as authenticity, accountability,
cannot be effective unless the entire life cycle of non-repudiation and reliability can also be considered part of
the PII processing is protected through information information security. Most practitioners see these as sub-
properties of confidentiality, integrity and availability.
security controls. Section 3.28 of ISO/IEC 27000:
2018 defines information security as the end result
of adequate controls to preserve the confidentiality,
Definition: Control
integrity and availability of information.
A control is an activity that provides a means of
treating risk. Section 3.14 of ISO/IEC 29000:2018
Confidentiality is defined by section 3.10 of ISO/IEC 27000:2018 defines a control objective as a description of what
as a property of information security where information is not
a control is intended to achieve. While section 3.61
disclosed to those unauthorized to receive it. Disclosure could
be the result of a deliberate leak of information outside an defines a control as a measure that modifies risk,
organization, an accidental disclosure to the wrong person or a and in the case of privacy controls, modifies privacy
deliberate transfer that was based on inaccurate advice and so risk. The GDPR does not define a control or a control
was an unauthorized disclosure. objective.
Integrity is defined by section 3.36 of ISO/IEC 27000:2018 as a
property of information security where information retains its
Good practice supports the identification of control objectives
accuracy and completeness. Controls should also be in place
to address particular privacy risks. One privacy risk might
to update the accuracy and completeness of the information in
apply to more than one privacy control objective. Each control
order to provide assurance about these properties to its users.
objective requires the design of a suite of controls – some
Availability is defined by section 3.7 of ISO/IEC 27000:2018 as organizational, some technical – that with effective operation
a property of information security where information is made addresses the privacy risk to PII. The privacy controls, as
accessible on demand to authorized users. The requirements defined in section 2.14 of ISO/IEC 29000:2018, reduce the
of users for access to information will vary by the criticality likelihood or consequences of a privacy risk materializing.
of business process and therefore the sophistication of Compliance against ISO/IEC 27701 would require each control
arrangements required to provide the information under all objective to be defined, and controls designed to meet each
circumstances will also vary. of these, so providing a framework of controls that together
support the privacy of PII.
8
bsigroup.com
The testing of privacy controls should consider the central use

cases as set out in the analysis of the business process that
Definition: Testing handles PII. However, no business process works perfectly in all
Testing is the activity of assessing the effectiveness situations, and so testing must also consider use cases where
business processes are operated incorrectly or are disrupted
of the design of a control or its operation. Without
by internal or external agents for malicious reasons. Only when
adequate testing, it’s impossible to accurately assess the full suite of use cases has been tested successfully can the
whether the control is suitable to achieve the control privacy risk be considered to be under control.
objective. Similarly, without adequate testing of the
External sources of information can contribute to the risks to
operation of the control, it’s impossible to accurately
the privacy of PII. For example, the principle of minimization
assess whether the control is effective in treating risk. can mean that organizations collect very little PII. However, no
matter how little PII is collected, when combined with other
sources of data, it can allow individuals to be identified and
their privacy placed at risk. Testing of privacy risks should
Good practice in testing requires a test plan to be created in also consider scenarios where external sources of data are
advance. This plan should set out: combined to identify an individual. A celebrated example of this
• the control objectives is when a journalist managed to combine different sources of
data to allow them to successfully apply for a passport in the
• the characteristics of the control design that will be tested name of the Information Commissioner.
• the criteria against which the design will be assessed
Compliance to ISO/IEC 27701 would require an organization to
• sample sizes for the output of the control in operation demonstrate that risks to the privacy of the PII that it handles
• threshold acceptance levels that demonstrate effective had been assessed, controls put in place and controls shown to
operation be operating effectively through a comprehensive framework
of control testing. Testing would therefore be central to this
• reporting lines for acceptable and unacceptable testing process.
results
9
Privacy regulation
Overview of the global privacy regulation landscape
The key source of information on applying the GDPR is the of how to implement the GDPR in some of the most complex
European Data Protection Board (EDPB). It issues guidance on circumstances. These cases are reported online (https://eur-lex.
various topics, such as carrying out Data Protection Impact europa.eu/homepage.html?locale=en).
Assessments, which is available online (https://edpb.europa.eu/
guidelines-relevant-controllers-and-processors_en). The global impact of GDPR
The EDPB took on the role of its predecessor organization, The GDPR covers the personal data of European citizens, no
the Article 29 Working Group, which had been created by the matter where their data is processed, and has therefore set
Data Protection Directive 95/46/EC that was incorporated a high standard for organizations all over the world. Other
into UK law as the Data Protection Act 1998. When the EDPB countries, when considering how to revise their own data
was formed, it adopted all of the guidance published since protection laws, have looked to the GDPR as an up to date
1997 covering topics such as employee monitoring and breach model for data protection in the age of global social media.
notification. All of this guidance is available online (https:// Brazil has introduced a new data protection law (LGPD) that
ec.europa.eu/justice/article-29/documentation/index_en.htm). comes into force in 2020 which adopts many of the principles
When reviewing an area it believes needs guidance, the EDPB of the GDPR. In addition, the new California Consumer Privacy
works to establish a consensus between each of the Data Act (CCPA), which also comes into force in 2020, adopts some
Protection Authorities (DPAs) throughout the EU, such as the of the concepts of the GDPR. Legislators in Washington DC
UK’s Information Commissioner’s Office (ICO) (www.ico.org.uk) have been negotiating to introduce a federal data privacy law
and France’s Commission Nationale de l’Informatique et des that may pre-empt the CCPA, and their efforts have centred
Libertés (CNIL). on achieving similar protections to those in the GDPR. Being
compliant with the GDPR therefore means less effort is
DPAs are responsible for registering organizations that required to comply with international laws.
control the processing of personal data, providing advice to
organizations and to individuals, responding to complaints Other European privacy laws
from individuals and investigating and fining organizations that
have experienced a data breach. The DPA will also prosecute The GDPR was created at the same time as two parallel laws,
organizations if they believe that their processing of personal Regulation (EU) 2018/1725, that require good data protection
data is not compliant with the GDPR. practices in EU institutions, and the specific data protection
Directive (680/2016) that requires good data protection
While there is still ambiguity over how to comply with some practices in EU law enforcement bodies. The Regulation (EU)
aspects of the GDPR, instances where a DPA prosecutes an 2018/1725 came into effect for EU institutions on 11 December
organization for non-compliance will provide a useful indication 2018, while the Directive came into effect in each jurisdiction
about how the DPA and the courts expect organizations to through local enabling laws. It was incorporated into the UK’s
comply with the law. Where a case is appealed to the European DPA 2018, which came into effect on 23 May 2018. A copy is
Court of Justice, the EU’s supreme court, the judgements can available online (http://www.legislation.gov.uk/ukpga/2018/12/
be considered definitive. These cases tend to offer an indication contents).
10
bsigroup.com
ePrivacy regulation challenges AdTech business model

In addition to the GDPR and the Directive, the EU is creating a The need to warn website visitors about the use of cookies
new law to update the Privacy and Electronic Communications to record activity on a site was the most public aspect of the
Directive 2002 (2002/58/EC) or the ePrivacy Directive. The original Directive. This requirement to warn visitors on every
Directive was given legal force in the UK through the Privacy visit is one that some hoped might be discarded in the new
and Electronic Communications (EC Directive) Regulations Regulation.
2003 (PECR) and became known as the ‘cookie law’.
The latest draft seeks to reduce the workload on visitors
When introduced, the ‘cookie’ law required Internet sites by allowing generic opt-in or opt-out to cookies within the
to ask permission from users to place cookies on their browser settings. However, consent will still be required in
computers. However, the law was not clear how this might most situations, and the level of consent is expected to meet
work. Companies were concerned that in order to establish that of the GDPR and so be ‘freely given, specific, informed and
whether a user had previously opted out of having cookies unambiguous’. Websites will also have to inform visitors how
placed on their computer, they would have to had already their personal data will be processed and to which third parties
placed a cookie which could then inform the company about it will be transferred. Some websites have already begun to
the user’s preferences. The law also was unclear about whether structure their cookie consent banners to reflect this GDPR
a user had to opt-in to having cookies placed on each visit to a requirement, but the ICO has already highlighted that the
website, or just the first visit. As a result of this confusion, the majority of websites are not yet compliant with the GDPR.
law was interpreted widely, and many sites failed to comply
with the spirit of the law. For some organizations, the need to restrict processing,
inform customers and secure consent will be a challenge.
The revision of the ePrivacy Directive is intended to respond to Where this challenge cannot be met, some organizations will
the changes in the processing of personal data on the Internet have to change their business models. The ICO has warned
since the previous law in 2002, and to align requirements with organizations of this risk in its June 2019 publication on AdTech
the GDPR. This new law will be a regulation, just like the GDPR, (https://ico.org.uk/media/about-the-ico/documents/2615156/
and so will be uniformly applicable across the EU. The latest adtech-real-time-bidding-report-201906.pdf).
draft of the Regulation (13 March 2019) makes the processing
of any personal data as part of electronic ‘interpersonal The ePrivacy Regulation is expected to be finalized later in
communication’ subject to privacy controls similar to the GDPR. 2019 or 2020 and become law automatically in all EU states
within 24 months. Other countries, in the European Economic
The processing of metadata has also been considered Area (Norway, Liechtenstein and Switzerland) would negotiate
during the drafting of the Regulation. Whether the metadata a timetable for the Regulation to apply to their countries. Third
associated with the processing of personal data online is countries would have to negotiate bilaterally and reflect the
also classified as personal data is an issue that has not yet requirements of the ePrivacy Regulation in local law, such
been settled, but case law seems to be pushing towards this as where certain country organizations wish to process the
outcome. This would mean that metadata would also need to personal data of EU citizens online.
be protected by similar privacy controls to those for personal
data.
11
Privacy regulation
Competition law challenges for those processing

large datasheets
Those organizations that process large amounts of personal other organizations also gathering such market research data,
data are discovering that their processing may also infringe reducing competition in the market, the social media platform
competition law. could be subject to competition law scrutiny.
Competition law is designed to prevent a dominant market In the EU, the Commission’s Competition Directorate tends to
position being used to reduce competition from other look at the market share of particular organizations in specific
organizations in the same market. Where organizations, markets to determine whether there is a risk to competition in
such as social media platforms, process the personal data the market. Where competition law finds a dominant position
of large numbers of individuals, they might be considered in the market for market research data, sanctions can include
to have a dominant position in the market for gathering fines for anti-competitive behaviour, divestment of subsidiaries
market research data, and providing display advertising. New or breakup of dominant groups. The European Commission is
competitors might struggle to compete against an existing actively considering how new regulations might help to ensure
social media platform as the new company will not have the that social media platforms do not reduce competition from
benefit of millions of existing customers and their Internet other companies.
data. Where this dominant position is considered to prevent
Online harm from personal data posted online

Where users post their own material online, in the so-called White_Paper.pdf). If made law, it would require posts that are
Web 2.0, this material can be considered personal data. Not considered to contain material that is harmful to children or
only does a hosting site have to protect the privacy of this data, vulnerable people, to be removed within a strict time frame.
but it must also consider whether hosting this user-generated Ireland is considering a similar law. Calls have been made in the
material will lead to harm to third parties. Calls have grown in a US for social media platforms to take more responsibility for
number of countries for social media platforms to be regulated the user-generated material they host. The US Congress has
like publishers of individuals’ posts rather than merely as taken this issue sufficiently seriously to ask the social media
technology companies providing the platform’s underlying platforms to testify about how they deal with online harms.
technology.
There appears to be a drift of the law towards seeing the
In New Zealand, the Harmful Digital Communications Act 2015 hosts of user-generated material as publishers rather than
requires hosts of user-generated material to delete online technologists. This change in status would have significant
material if served with a complaint about specific content, implications for all online hosting platforms, not just the major
even if the complaint is ignored by its author. In April 2019, social media platforms. Any organization that hosts user-
the UK Government published a white paper that proposed generated material may have to build new business processes
placing a ‘duty of care’ on hosts of user-generated material to scrutinize posts and promptly delete those considered to be
(https://assets.publishing.service.gov.uk/government/uploads/ harmful.
system/uploads/attachment_data/file/793360/Online_Harms_
12
bsigroup.com
Implementing privacy and information security

standards
Standards can help to provide a baseline of control objectives for organizations that are seeking to comply with privacy and
information security laws and regulations. Where multiple laws must be complied with, a single standard can be used to
accommodate each set of legal requirements into a single structure that an organization can use as a focus for its compliance
efforts. Implementing standards allows an organization to demonstrate to regulators, suppliers and customers that it not only has
privacy and information security controls in place, but that senior management takes these issues seriously.
The challenge of GDPR certification

The EDPB published guidance in June 2019 (https://edpb. There are currently no certification schemes that cover all
europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_ aspects of the GDPR. The EDPB has noted that certification
v2.0_codesofconduct_en.pdf) on the requirements for schemes that cover only some GDPR controls can help
new certification schemes that will allow organizations organizations demonstrate their overall compliance with GDPR.
to demonstrate compliance with the GDPR. In the future, A mosaic of certification schemes is therefore expected to form
certification schemes are likely to be developed that cover the basis of GDPR certification for most organizations for the
aspects of GDPR compliance such as Data Subject Access foreseeable future.
Requests, Complaints Processes, Privacy by design and
Communications with Data Subjects.
Privacy governance
Good business governance is important to help organizations respond to changing environments, and there are different types
of standards available to support. For example, management system standards help organizations to manage risk and improve
performance across a range of areas from quality management and health and safety to privacy and information security.
The benefits of a management systems raise the profile of the issues within senior management teams.
It can also support future conversations about the need for
approach further investment and attention. For most organizations, the
Complying with any standard for a business process or product progress towards compliance is an everlasting one, and so
helps an organization develop in a specific discipline. However, following against an international standard provides ongoing
implementing a management systems standard requires a focus for a programme that can lose focus after the initial burst
much more robust approach that impacts all functions across of energy.
the organization. If the management systems standard is
going to be effective, it must be embedded into the existing Integration efficiencies
management of the organization.
Any management systems standard is also designed to
A management systems standard is focused on making be shared in a modular way, so that the effort of adding a
compliance with the standard robust at any point in time and new management systems standard to an organization is
sustainable in the longer term. This type of standard makes minimized. Once an organization has embedded a single
the management of the organization as a whole much more management standard, say for quality, the extra effort required
systematic and transparent. Compliance against the standard to add an additional management standard, say for privacy
demonstrates that the organization takes its management and information security, is much less than that for the initial
responsibilities seriously. standard.
Leadership engagement Any organization that seeks to comply with privacy and
information security requirements through a management
A key feature of a management systems standard is the systems standard is therefore investing in the robustness and
requirement for the organization’s senior management to be sustainability of their organization in a way that allows other
involved. This can bring significant management attention to technical areas such as safety, or quality to be addressed in the
issues, such as privacy and information security, and help to future.
13
Privacy regulation
Conclusion
This white paper has explored the privacy regulation landscape. It requires jurisdictional differences to be considered and
It has not only demonstrated a number of differences and encourages senior management to take privacy seriously. This
similarities globally, but highlights the importance of specific is of critical importance when new regulations are coming into
regulatory requirements such as the ePrivacy Directive. place, and the impacts can affect the bottom line.
All regulations have positive intentions to support an It is also essential to recognize that the regulatory landscape is
individual’s privacy rights, and the foundation set by GDPR has complex, ever changing and needs to be regularly reviewed. By
given a springboard for other countries and states around the adopting a management system approach, organizations are
world. There are of course nuances between these that can encouraged to continually monitor and assess performance
create a challenge for organizations, however that is where in light of the business environment in which they operate;
international standards can offer support. and ISO/IEC 27701 is a great example of organizations,
governmental bodies and academics bringing their knowledge
ISO/IEC 27701 is a great example of a management systems together to provide a governance framework that can support
standard that encourages organizations to put governance this.
around their personally identifiable information activities.
Author
Kieran McDonagh, Riskscape Law Ltd

Kieran McDonagh is an experienced data protection and compliance projects for BNP Paribas, BP and Centrica, and
cyber security professional. He has used international he is currently a member of the BSI committee developing
standards to audit, risk assess and remediate controls in the international standard ISO 31700 – Privacy by Design.
data protection, cyber security, business resilience and He has masters’ degrees in cyber security, management
supply chain risk management. He has led regulatory science and law.
Reviewers Disclaimer
This white paper is issued for information only. It does not constitute an
This white paper was peer reviewed by: official or agreed position of BSI Standards Ltd. The views expressed are
entirely those of the authors.
Geoffrey Goodell, Senior Research Associate, UCL CBT, All rights reserved. Copyright subsists in all BSI publications including, but
UCL Computer Science. not limited to, this white paper. Except as permitted under the Copyright,
Designs and Patents Act 1988, no extract may be reproduced, stored in a
One peer reviewer elected to remain anonymous retrieval system or transmitted in any form or by any means – electronic,
photocopying, recording or otherwise – without prior written permission
from BSI. While every care has been taken in developing and compiling
this publication, BSI accepts no liability for any loss or damage caused,
arising directly or indirectly in connection with reliance on its contents
except to the extent that such liability may not be excluded in law.
14
Buy your copy of ISO/IEC 27701 now
at: shop.bsigroup.com/bsisoiec27701
Privacy regulation
Why BSI?

system standards.
Find out more about

BSI ISO/IEC 27701 with BSI
London W4 4AL
United Kingdom
Call 0345 080 9000
T: +44 345 086 9001 or visit bsigroup.com/iso27701-UK
bsigroup.com

All ISO 27701 Guides and WPs 1695747026

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

All ISO 27701 Guides and WPs 1695747026

Uploaded by

Copyright:

Available Formats

ISO/IEC 27701

Privacy Information Management

Specific organizational roles include:

Benefits of ISO/IEC 27701

Clause 1: Scope Clause 3: Terms and definitions

Clause 6: PIMS specific guidance Guidance also outlines considerations of special

More detailed implementation guidance is included

Plus, guidance in this clause encourages you to

Importantly, supplier relationships, expectations and

Guidance is outlined to identify and maintain the

ISO/IEC 27701 courses include:

ISO/IEC 27701 Requirements ISO/IEC 27701 Internal auditor

ISO/IEC 27701 Implementation

BSI Business Improvement Software

• Effective document control

• Visibility of site and certificate performance

To learn more, please visit: bsigroup.com

Find out more

Managing personal information

What is ISO/IEC 27701?

Table 1 – Personal information management roles

PII Controller PII Processor

• Provides best practice guidance • Provides best practice guidance

ISO/IEC 27701 developing the standard

How ISO/IEC 27701 fits in

However, all these mappings need to be interpreted to take

ISO/IEC 27701 can be used by PII controllers (including those

Data privacy laws

Certification mechanisms to help demonstrate

Figure 2 – Enabling commerce through consistent data privacy certification mechanisms.

(b) Consistent certification

ISO/IEC 27701 is a potential certification mechanism

Importance of stakeholder engagement

Provide a network of accredited

The European GDPR recognizes that certification mechanisms for demonstrating

The introduction of ISO/IEC 27701 is a necessary addition to the existing standards

Our products and services

© 2019 The British Standards Institution. All Rights Reserved.

Find out more about

What are the benefits of ISO/IEC 27701?

At BSI we have the experience, the

Get a copy of the Optional gap

Management system software

For more information on

Details available at: bsigroup.com

ISO/IEC 27701 International Privacy Information Management System

ISO/IEC 27701 Privacy Information Management

Mapping ISO/IEC 27701 to BS 10012:2017

ISO/IEC 27701 ISO/IEC 27701 topic BS 10012 topic BS 10012

5.3.2 Policy Policy 5.2

5.5.2 Competence Competence 7.2

5.5.3 Awareness Awareness 7.3

ISO/IEC 27701 ISO/IEC 27701 topic BS 10012 topic BS 10012

5.5.3 Awareness Awareness 7.3

5.5.4 Communication Communication 7.4

5.5.5 Documented information Documented information 7.5

5.7.1 Monitoring, measurement, analysis and Keeping PIMS up to date 8.2.5

5.7.3 Management review Management review 9.3

Preventative actions 10.2

5.8.2 Continual improvement Continual improvement 10.3

ISO/IEC 27701 ISO/IEC 27701 topic BS 10012 topic BS 10012

6.2.1 Management direction for Policy 5.2

6.4.1 Prior to employment Training and awareness 8.2.4