Privacy

1. What is Privacy?

Privacy is the fair and transparent use of personal information. Personal information is defined broadly to include any of name, address, e-mail, telephone number, identifying number (such as Social Security Number), health or biometric information, location information, and more.

2. What’s the difference between privacy and security?

Privacy builds off of security and extends to giving data subjects (consumers) greater control over their data. This primarily covers data use practices, such as the types of processing performed, and who data is shared with. It also addresses clear and transparent communication with data subjects about data collection and use. Privacy has a significant overlap with security functions, but also typically involves members of the legal team.

3. Does privacy apply to me?

If you collect personal information as part of your business, then yes. While protection of anyone’s personal information (including business partners, employees, customers) is important, customer or consumer personal information is typically the highest priority.

If you process sensitive information relating to health, biometrics, information about political views, sexual orientation, or genetic makeup, then you are likely subject to enhanced requirements regarding how you collect, process, and disclose this data.

4. What are my obligations?

To be ISO 27001 certified means that an entity has engaged with an ISO accredited certifying body (CB) and undergone an assessment that resulted in the organization’s management system being certified.

  • Source 1: Regulations (statute, administrative rulings, and case law) according to jurisdiction
    • Within the US: California, Colorado, and Virginia have all passed comprehensive privacy laws. These laws overlap substantially. Compliance with these laws can be demonstrated in part by achieving a privacy certification.
    • Internationally, the EU’s General Data Protection Regulation (GDPR) is the principal compliance obligation if you have customers in the EU. Many countries have also passed similar laws.
  • Source 2: Contractual obligations (B2B, B2C, B2G) according to enforceability
    • What you have agreed to in customer contracts and terms of service. Customers may impose obligations to allow them to meet their requirements in the above categories. In addition, customers may require recognized certifications such as SOC 2 Privacy and ISO 27701.

5. What are some of the core Privacy concepts?

Privacy by Design: refers to a method of protecting privacy by embedding it into the technical specifications of the infrastructure or application in question which, for example, includes limiting the collection of unnecessary data subject information.

Simplified Choice for Businesses and Consumers: Giving consumers the means to make decisions about their data at a relevant time and context through, for example, opt-out mechanisms and data subject request processes.

Greater Transparency: Making information collection and use practices transparent.

6. How can I demonstrate compliance?

ISO 27701 is considered the primary method for demonstrating privacy compliance. An extension of the popular ISO 27001 certification, ISO 27701 contains privacy-specific controls that an organization must address.

The SOC 2 includes five Trust Services Criteria (TSC) for service organizations to consider in-scope. The “Privacy” TSC covers basic elements of a privacy program, and is frequently used to demonstrate privacy compliance.

7. What is an ISO 27701 Privacy Certification?

ISO 27701 is a standard that builds upon ISO 27001 which sets additional guidelines for how personally identifiable information (PII) should be managed and processed. An ISO 27701 certification enables organizations to take their Information Security Management System (ISMS) to the next level by establishing a Privacy Information Management System (PIMS). This demonstrates a regulatory agnostic approach to privacy protection compliance as a component of information security.

The ISO 27701 standard lays out a detailed set of operational checklists that can be adapted to various regulatory frameworks such as the EU’s General Data Protection Regulation (GDPR) which can then be used to demonstrate proof of compliance to consumers, businesses, and other stakeholders. In effect, this provides assurances to interested parties that your organization has adopted worthwhile privacy and information security programs that reduce privacy related risks.

Interested in learning more about what it takes to get certified? Check out a couple of our whitepapers ISO 27701 Path to Certification: Understanding the Framework and The Business Case for ISO 27701 Implementation for a more detailed breakdown.

8. How long does it take to become compliant?

It depends. Most organizations can achieve and receive third-party validation of compliance to ISO 27701 or SOC 2 within six to 12 months.

Phalanx GRC