IAPP: Revamped ISO Privacy Compliance Standard Could Benefit Multinationals

ISO 27701, "Information security, cybersecurity and privacy protection - Privacy information management systems [PIMS] - Requirements and guidance," provides rules and guidance for setting up, implementing, maintaining and improving a PIMS.

The standard updates the 2019 version, Davies noted. It includes several significant changes, such as being a standalone management system, meaning companies will no longer need to have an ISO 27001-certified information security management system, he said.

The updated standard sets out the high-level requirements for establishing a PIMS that any organization seeking certification must meet. These include understanding the entity's context and its role in relation to personal data, either as a controller or processor, and establishing an internal data privacy policy with defined roles, responsibilities and authorities.

ISO 27701-certifed businesses must also assess the risks and opportunities involved in effectively setting up their PIMs, such as identifying and evaluating privacy-related risks and how to control them.

Companies must define their privacy objectives and detail how they'll be measured and monitored, wrote Davies: They must determine what resources they need to set up and maintain the PIMS.

There are also requirements for carrying out risk assessments and risk-treatment processes, and for measuring PIMS performance. This includes the creation of an internal audit program and regular senior management reviews.

ISO 27701 is intentionally jurisdiction-neutral, so multinationals could use it to create a unified PIMS, Davies said. It aligns closely with the EU and U.K. GDPRs, he added.

Davies urged organizations not to rely on guidance and commentary but to read the document. The standard is a starting point, not a substitute for compliance with local laws and regulations, he cautioned.