The financial impact of data breaches can run into millions of dollars for organizations, including costs such as legal fees, repairing damage and implementing tighter security measures, as well as possible compensation payments and fines. IBM recently estimated the average cost of a data breach at nearly four million US dollars.
A new international standard provides organizations with the clear guidance they need to reduce the risk to personal information. It takes into account not only national laws and regulations, but also the environment in which organizations operate.
The new standard is an extension to ISO/IEC 27001 and ISO/IEC 27002, which many organizations have already used to implement an Information Security Management System (ISMS). While ISO/IEC 27001 requires organizations to take their environment into consideration, the new standard goes a step further by mapping to the privacy framework and principles defined in ISO/IEC 29100.
ISO/IEC 27701 shows organizations how to manage and process data to reduce risk and demonstrate compliance with updated and more stringent privacy regulations around the world. It specifies requirements and provides guidance for implementing, maintaining and continually improving a Privacy Information Management System (PIMS) capable of ensuring effective management of personal data within an organization.
The new document outlines a framework for any data that could potentially identify a specific individual, known as personally identifiable information (PII). It provides guidance for PII controllers and PII processors.
It is relevant and applicable to anyone with responsibility and accountability for managing PII. This covers all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.
ISO/IEC 27701 generates documented evidence of how organizations handle the processing of personal information, including clearer definitions of roles and responsibilities. It delivers a number of additional benefits, including transparency between stakeholders and increased trust, as well as facilitating agreements with business partners.
Dr Andreas Wolf, Chair of the joint ISO/IEC technical committee that developed the standard, said almost every organization processes personally identifiable information (PII), and protecting it is not only a legal requirement but a societal need.
“ISO/IEC 27701 defines processes and provides guidance for protecting PII on an ongoing, ever evolving basis. Because being a management system, it defines processes for continuous improvement on data protection, particularly important in a world where technology doesn’t stand still.”
When implemented together with the ISO/IEC 27000 family of standards, ISO/IEC 27701 gives clients confidence in the reliability of the systems to which they have entrusted their data. This can play a crucial role in helping to protect brand reputations.
Against a backdrop of sweeping regulatory change, it provides tools for implementing robust data security management systems that deal with sensitive information efficiently and effectively. It also supports the cross border data flows on which the global economy is built.