EN ISO/IEC 27701 “Security techniques. Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. Requirements and guidelines” sets out generic requirements for a Privacy Information Management System whose guidance can be adapted by organizations according to their context and applicable obligations. It can be considered as an international framework, in which it is possible to define more particular, regional refinements.
CEN and CENELEC’s Joint Committee 13 ‘Cybersecurity and Data Protection’ (CEN-CLC/JTC 13) has now started a new project, which aims at developing a standard that offers such refinements for a European context: the aim is to develop guidelines that organisations will be able to use for the purpose of demonstrating compliance with their obligations relating to GDPR.
The refinements that will be set out in the new document relate to processing operations as part of products, processes, and services. Certification bodies will be able to use these requirements and refinements to assess the conformity of both a privacy information management system per ISO/IEC 17021 and the processing operations of a product, process or service per ISO/IEC 17065. Provisions of this document may be considered for the creation of a certification mechanism as per GDPR’s article 42, which establishes this possibility.
Many stakeholders would benefit from this new standard: organisations processing personal data, which will no longer need to interpret ISO/IEC 27701 themselves anymore; regulatory bodies, who will have the possibility to use provisions from this document to establish certification mechanisms; and of course consumers, who will be able to trust products complying with a standard that strengthens the protection of personal data.
Should you be interested to participate in the development of the new “Privacy Information Management System per ISO/IEC 27701 - Refinements in European context”, we invite you to contact your National Standardization Body (NSB) or your National Committee (NC).
Lucia LANFRI
llanfri@cencenelec.eu