Implementing the Privacy Information Management System
Who Works With the Data and How Are They Monitored
Although information is a major source of revenue and a critical asset for most businesses, it can also prove to be at the root of significant losses.
Mishandling of information can lead to legal liability claims which considerably increase operating costs through the potentially liable party having to defend against actions, or being forced to pay performance or injunction penalties, or monetary damages. Liability claims are commonly generated through the negligence of employees or contractors as they handle information.
Personally Identifiable Information
Among the data routinely collected and stored to allow us to carry out our business activities, there is a special category known as personally identifiable information (PII). Since custodians of PII are quickly becoming liable for any breach of confidentiality, failure to follow the applicable laws and regulations can have harsh consequences.
Governments and Data Privacy
An unprecedented amount of information is now being collected and stored online. As a result, governments have put laws and regulations in place to ensure the security of personal information.
Here are just a few more measures with which your organization may need to comply to guarantee the confidentiality of the personal data in its care.
Laws and Regulations
What Is PIMS
ISO/IEC 27701:2019 specifies requirements and provides guidance for establishing, implementing, maintaining and continually improving a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. It specifies PIMS-related requirements and provides guidance for PII controllers and PII processors holding responsibility and accountability for PII processing.
Why Implementing ISO 27701:2019 Matters
According to data privacy laws such as the GDPR (2016/679, Article 4), controllers and processors are responsible for manipulating and securing PII. Controllers collect the data and determine the purposes for which it will be processed. Processors process the data according to the controller’s instructions.
To mitigate the risks of non-compliance, the GDPR recommends the implementation of data protection certification mechanisms and data protection seals and marks.This is where ISO/IEC 27701:2019 comes in.
Why Work With The Seratos Team of Experts
We Make Monitoring the Risk of Non-Compliance Easy
ISO/IEC 27701:2019’s enhanced SoA mapping requires that specific privacy regulations and unique regulatory requirements be identified and addressed. It also covers compliance with all the other conditions PII controllers and processors must respect.
We keep implementation lean by taking advantage of all the relevant documentation, records and technical evidence already in place. As a result, our mapping of controls to privacy requirements is both simple and efficient. Using comprehensive assessment methods, we help you evaluate and map controls that apply to the privacy requirements relevant to your activities. We use the results to create a “live” baseline control repository.
Leveraging the existing ISMS
The ISO/IEC 27701:2019 information system is designed to guarantee the security of PII. Building on your existing Information Security Management System (ISMS),it creates a Personal Information Security Management System (PIMS) that protects all PII as required by law and by the current standards of your industry.
We provide our clients with a comprehensive set of services designed to secure and maintain their ISO certification. Our successful approach to PIMS implementation entails bringing the right expertise to the task and setting up clear objectives for each certification project.
Supporting GDPR compliance
The ISO/IEC 27701 framework and controls make compliance verification easier for your organization and governmental authorities. Above all, having a comprehensive framework to guide the due diligence process gives you peace of mind.
You and everyone involved in your business activities can rest easy, knowing that your organization has a secure method that guarantees the safety of their PII.
By implementing the PIMS we help Data Protection Officers to generate and maintain valuable evidence, allowing them to respond to security questionnaires and inquires in a more timely and effective fashion.
Performing Privacy Risk Assessments
We use a documented approach to evaluating and controlling the risks associated with breaches, delays, rework and non-compliance with legal, contractual or regulatory requirements.
As part of the ISO/IEC 27701:2019 certification process, we facilitate the planning and execution of privacy risk assessments.
Our privacy assessments are performed following our risk management methodology and are part of the risk management activities required by ISO/IEC 27001:2013 and ISO/IEC 27701:2019 standards.
Why Getting ISO 27701 Certified
With all this in mind, ensuring that your Privacy Information Management System (PIMS) conforms to the ISO/IEC 27701:2019 requirements significantly reduces your non-compliance risks. It also demonstrates that your organization is respecting data privacy laws. More particularly:
- It demonstrates due-diligence and compliance with data protection laws such as the GDPR by leveraging an existing ISMS.
- It significantly reduces the audit fatigue helping you respond to security questionnaires and inquiries in a more timely and effective fashion.
- It identifies and maps controls that are relevant to the requirements framework, while also generating and retaining necessary evidence of compliance for regulatory purposes.
- It established a comprehensive framework to address the risk of non-compliance within the enterprise risk management framework.
Seratos provides comprehensive support for implementing and certifying your PIMS. Contact us and we will schedule an intro call with one of our consultants to find out more about how we can help.