Protecting Sensitive Data

Implementing the Privacy Information Management System

Who Works With the Data and How Are They Monitored

Although information is a major source of revenue and a critical asset for most businesses, it can also prove to be at the root of significant losses.
Mishandling of information can lead to legal liability claims which considerably increase operating costs through the potentially liable party having to defend against actions, or being forced to pay performance or injunction penalties, or monetary damages. Liability claims are commonly generated through the negligence of employees or contractors as they handle information.

Personally Identifiable Information

Among the data routinely collected and stored to allow us to carry out our business activities, there is a special category known as personally identifiable information (PII). Since custodians of PII are quickly becoming liable for any breach of confidentiality, failure to follow the applicable laws and regulations can have harsh consequences.

Governments and Data Privacy

An unprecedented amount of information is now being collected and stored online. As a result, governments have put laws and regulations in place to ensure the security of personal information.
Here are just a few more measures with which your organization may need to comply to guarantee the confidentiality of the personal data in its care.

Laws and Regulations

Canada has enacted the Personal Information Protection and Electronic Documents Act (PIPEDA) in support of the Privacy Act which sets out the rules for how institutions of the Government of Canada must deal with personal information of individuals.

European Union has enacted GDPR which stands for General Data Protection Regulation and is the core European Union privacy law that came into effect on May 25, 2018.

In USA, the Health Insurance Portability and Accountability Act (HIPAA), the Fair Credit Reporting Act (FCRA), and the Electronic Communications Privacy Act (ECPA).

What Is PIMS

ISO/IEC 27701:2019 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. It specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.

Why Implementing ISO 27701:2019 Matters

According to data privacy laws such as the GDPR (2016/679, Article 4), controllers and processors are responsible for manipulating and securing PII. Controllers collect the data and determine the purposes for which it will be processed. Processors process the data according to the controller’s instructions.
To mitigate the risks of non-compliance, the GDPR recommends the implementation of data protection certification mechanisms and data protection seals and marks.This is where ISO/IEC 27701:2019 comes in.

Knowledge.

Why Work With The Seratos Team of Experts

We Make Monitoring the Risk of Non-Compliance Easy

ISO/IEC 27701:2019’s enhanced SoA mapping requires that specific privacy regulations and unique regulatory requirements be identified and addressed. It also covers compliance with all the other conditions PII controllers and processors must respect.

We keep implementation lean by taking advantage of all the relevant documentation, records and technical evidence already in place. As a result, our mapping of controls to privacy requirements is both simple and efficient. Using comprehensive assessment methods, we help you evaluate and map controls that apply to the privacy requirements relevant to your activities. We use the results to create a “live” baseline control repository.

Leveraging the existing ISMS

The ISO/IEC 27701:2019 information system is designed to guarantee the security of PII. Building on your existing Information Security Management System (ISMS),it creates a Personal Information Security Management System (PIMS) that protects all PII as required by law and by the current standards of your industry.
We provide our clients with a comprehensive set of services designed to secure and maintain their ISO certification. Our successful approach to PIMS implementation entails bringing the right expertise to the task and setting up clear objectives for each certification project.

Supporting GDPR compliance

The ISO/IEC 27701 framework and controls make compliance verification easier for your organization and governmental authorities. Above all, having a comprehensive framework to guide the due diligence process gives you peace of mind.
You and everyone involved in your business activities can rest easy, knowing that your organization has a secure method that guarantees the safety of their PII.
By implementing the PIMS we help Data Protection Officers to generate and maintain valuable evidence, allowing them to respond to security questionnaires and inquires in a more timely and effective fashion.

Performing Privacy Risk Assessments

We use a documented approach to evaluating and controlling the risks associated with breaches, delays, rework and non-compliance with legal, contractual or regulatory requirements.
As part of the ISO/IEC 27701:2019 certification process, we facilitate the planning and execution of privacy risk assessments.
Our privacy assessments are performed following our risk management methodology and are part of the risk management activities required by ISO/IEC 27001:2022 and ISO/IEC 27701:2019 standards.

Why Getting ISO 27701 Certified

With all this in mind, ensuring that your Privacy Information Management System (PIMS) conforms to the ISO/IEC 27701:2019 requirements significantly reduces your non-compliance risks. It also demonstrates that your organization is respecting data privacy laws. More particularly:

It demonstrates due-diligence and compliance with data protection laws such as the GDPR by leveraging an existing ISMS.
It significantly reduces the audit fatigue helping you respond to security questionnaires and inquiries in a more timely and effective fashion.
It identifies and maps controls that are relevant to the requirements framework, while also generating and retaining necessary evidence of compliance for regulatory purposes.
It established a comprehensive framework to address the risk of non-compliance within the enterprise risk management framework.

Next Steps

Establish the scope of your Privacy Information Management System in alignment with the requirements of the ISO 27701:2019 Standard.

Identify and evaluate relevant operational risks associated with the scope of the PIMS and perform a privacy risk assessment;

Perform a gap analysis of the current ISMS as compared to ISO 27701:2019 and ISO 27001:2022 requirements;

Document the gap assessment results, implement or update necessary controls;

Seratos provides comprehensive support for implementing and certifying your PIMS. Contact us, and we will schedule an intro call with one of our consultants to find out more about how we can help.