Standards to ensure privacy

28. January 2020

Standards to ensure privacy

When we make a doctor's appointment, log on to a online bank or book tickets online, we share our personal information. Digitalization, globalization and the personalization of services create new markets, but they also raise the question of how to ensure users' privacy.

The new standard ISO/IEC 27701 is to enhance the credibility of how organizations handle personal information and is a specific tool for compliance with the existing requirements in the General Data Protection Regulation (GDPR).

In a society characterized by digitalization and constant changes, both private actors and public authorities are in need of guidance on protection of information. The new international standard ISO/IEC 27701 is a certifiable standard that defines requirements for a management system for protection of privacy. Specifically, the standard provides an insight into the procedures and arrangements that organizations should establish to ensure proper protection of personal information. 

An extension to the requirements on privacy

Although the standard is new, its foundation is composed of a well-known standard, the ISO/IEC 27001, which defines the requirements of a management system for information security. The new ISO/IEC 27701-standard differs from the 27001-standard by outlining extended requirements to the type of information that is of personal character. This involves working with consideration to the registered/private person, of whom the information may concern and with the company’s role as data processor or data responsible.

Regulation on data protection - GDPR

With the advent of the GDPR, there is a special need for handling personal information to avoid data outbursts and violation of private individuals’ fundamental rights.

- Individuals’ rights have for a long time been an issue and headache for many organizations, that treat personal information. Nevertheless, citizens’ data is of great volume in the public sector. With the GDPR, it has become even more crucial to organizations that they are capable to demonstrate proper conduct with the personal information. ISO/IEC 27701 provides us with detailed instructions of the GDPR’s articles based on the processes that is already applied in organizations working systematically with information security, addresses Anders Linde, Chief Consultant at Danish Standards.

The new standard uses the GDPR as a starting point for comparison of its various requirements and recommendations.

Numerous advantages

Besides the standard being a helpful tool when complying with the regulations of the GDPR, the standard also brings several benefits which also can be found in other management systems.

- An organization, that follows the requirements in ISO/IEC 27701 is expected to master its distribution of roles and responsibilities, documentation of processes and a mindset that ensures continuous improvements of the GDPR. This provides an overview and safety among both employees, collaborating partners and those whom the personal information concerns, says Anders Linde.

Do you wish to know more about protection of privacy?

Get an understanding of the specific requirements for the data responsible and the data processor at Danish Standards new diploma course in privacy. Here, you learn how your company observe the extended requirements for privacy protection by establishing a management system after ISO/IEC 27701. Please note that courses offered by Danish Standard are currently all in Danish.