It is a system to ensure the constant creation, implementation, maintenance, and improvement of the Privacy Information Management System (PIMS) standard, this standard relies on the requirement, controls, and objectives of the information security management system standard (ISO/IEC 27001:2013).
In addition, this system creates a framework to help reduce the privacy risks those in processing the personal data or personally identifiable information (PII), which is, any information or data that identifies or could identify a person.
This standard has been designed for use by those responsible for processing personal data.
The main benefits of privacy information management system PIMS- (ISO 27701):
- Providing security guarantees on processing personal data.
- Integrating privacy management into business risk management.
- Control over the existence of a mechanism for reporting privacy violations.
- Establishing clear roles and responsibilities for managing privacy.
- Improving the contract management with data processors and users.
- Ensure that personal data holders are allowed to practice their rights confidently.
- Provide customer transparency and efficiency when managing the personal data processing.
In order to keep pace with the latest development, we will work on the latest version of the standard (ISO/ IEC 27701), which it’s the 2019 version.
Who can obtain privacy management certification?
- This system can be applied to all kinds of organizations, regardless of their size and type, including companies in both private and public sectors, or non-government organizations, or nonprofit organizations.
However, they must have already applied information Security management (ISM)- (ISO/IEC 27001: 2013) into their departments.
- Which the latest version of (ISO 27701) comes for enhancing or expanding the efforts to maintain the privacy of the data managed by the Information Security Management System (ISMS), this will help in improve the reputation of the organization and its an image which is enhanced the commitment to information security and the compliance with data protection laws, such as RGPD or LOPDGDD.
- As for organizations that do not have an information security management system (ISMS) and they want to obtain the certification, they must jointly be implemented (ISO/ IEC 27001) and (ISO/ IEC 27701), because the new regulation is an extension to (ISO 27001) requirements and the code of good practice (ISO 27002).
- This new standard of information security provides guidelines to the institutions that want to comply with the requirements of the general data protection regulation (GDPR) and other requirements associated with data privacy.
- (ISO/ IEC 27701) standard, Also known as PIMS /(IQAS), provides a framework for monitoring and processing personally identifiable information (PII).
And to minimize the risks related to the privacy rights to individuals and organizations through improving the current information security management system (ISMS).
This standard considers the best way to prove to clients, and external, and internal stakeholders that the effective management system had been implemented to achieve the compliance to general data protection regulation (GDPR) and other privacy laws.
An Overview of Privacy Information management system (PIMS) and personal data?
The European united General Data Protection Regulation (GDPR) has entered a new era of global privacy and compliance regulation, in which more privacy regulation has been enacted, as a result of this, organizations must implement policies and procedures to guarantee compliance to these privacy regulations.
In addition to that, the world is currently in the middle of fast digital transformation, where collecting and processing data is increasing exponentially, the simultaneous growth in the volume of data and the regulatory requirements related to this data makes compliance increasingly complex for organizations of all types.
The new international standard privacy information management system (PIMS)- ISO/ IEC 27701, obliviously known as (ISO/ IEC 27552) helps organizations to reconcile privacy regulation requirements with operational controls.
Personal data is any information (including opinions and intentions) that is related to an identified normal person or it may identify his identity. Personal data is submissive to specific legal guarantees and other regulations, which impose limits on how organizations can process personal data. The organizations that deal with personal data and make decisions about using those data are called as “data monitors”.
ISO/ IEC 2770 have three major challenges related to compliance:
- Many irreconcilable regulatory requirements:
The Reconciling of multiple regulatory requirements by using a global set of operational controls allows consistent and effective implementation.
- Auditing by regulation is too expensive:
Both internal or third part editors are able to assist the regulation compliance by using a comprehensive operational monitor set within a single audit cycle.
- Promising to comply without proof is risky:
The commercial agreements that involving the transfer of personal information (PI) may require certification of compliance.
The regulatory requirements are too much to reconcile
ISO 27701 standard includes an appendix that evolves the standards of operational controls, which have been set in accordance to the relevant requirements to the general data protection regulation (GDPR) for controllers and processors. This assignment is just an example of how to activate the privacy regulations with providing additional maps with the other regulations and validating it, the operational controls from the standard can be transferred directly from regulatory review to implementation. This international framework allows organizations to activate the relevant regulatory requirements reliably without “reinventing the wheel”. Open-source project any progress to enable privacy community to set other regulations and check out validate the current assignments.
Too expensive to review regulation after regulation
With the inter of more privacy regulations into implementation, the pressure to provide evidence of compliance will increase. but the various regulatory certification costs become very expensive if each regulatory need a special audit. And through determining a set of international operational controls, the privacy information management system (PIMS) also defines an international framework to comply with the audit and perhaps to validate of multiple regulatory requirements.
It’s important to recognize the official GDPR certification requires to take the pending approval decisions by European regulators, while the compatibility between PIMS and GDBR is clear, PIMS Certification must consider as evidence of compliance to a general data protection regulations, not as official GDPR certification until regulatory decisions are finalized.
Promising to comply without evidence is risky
The recent organizations are participating in transporting the complex data operation with a deep network of business partners including the partner’s organizations or the shared controllers and processors, such as cloud providers and sub-processors, such as vendors who support the same processors. The failure to comply with the regulation in any part of this framework could lead to sequence compliance issues through blockchain. This is the point/ place that could be the compliance verification is a value beyond the guarantee provided by contractual terms between these organizations. Since the global economy dictates that most of these organizations are separate all over the world, it’s practical to use an international standard from ISO to manage compliance across the network.
This dependence on compliance is raising the importance of the certification to the standard, while not all organizations and companies require obtaining this certification, however, most of them will benefit from the partners and vendors those have it, especially when sensitive or large data processing volumes are shared.
The basic building blocks of the standard
PIMS Is built on top of the most widely adopted international standards for information security management ISO/ IEC 27001, if your intuition is already familiar with ISO/ IEC 27001, It’s logical and more efficient to integrate the new controls with the privacy of private information management system (PIMS) which means that implementation and revision both of them will be less expensive and easier to implement.
The major point in ISO/IEC 27001, and PIMS:
- ISO/ IEC 27001 Consider one of the most widely used standard in the world, which many companies are already accredited.
- PIMS involved new controls special for control and processing unit, that helps in bridge the gap between privacy and security, and provide an integration point between two separate functions in organizations.
- Privacy depends on security. Similarly, PIMS is based on ISI 27001 to security management. PIMS certification must obtained as an extension of ISO/ IEC 27001 certification, it cannot be obtained independently.