Discussing the ISO 29100 Privacy Framework
Friday, April 30, 2021
privacy policy stamp
Print Mail Download i

Do companies have to create an internal privacy policy (not a privacy notice) under the ISO 29100 privacy framework?

One of the provisions in the ISO 29100 privacy framework is that the top management of an organization should “establish a privacy policy” that, among other things:

  • Provides an internal organizational framework for setting objectives,

  • Includes a commitment to satisfy applicable privacy safeguarding requirements,

  • Includes a commitment to continual improvement.

The privacy policy envisioned under the ISO 29100 is not the same as public-facing privacy notices that are posted on company websites that explain to the public how personal information is collected, shared, and processed. Instead, it would be an internal company policy that is communicated within an organization and governs how the organization will handle personal information. The privacy policy is designed to be supplemented by more detailed rules and obligations, created by various stakeholders internally.

How does the terminology of the ISO 29100 privacy framework relate to the data privacy laws?

The terminology used by the ISO 29100 privacy framework arguably most closely aligns with the terminology used under the GDPR. The following chart provides a side-by-side comparison of commonly used terms and concepts as they appear in the European GDPR, the California CCPA, and the newly passed Virginia Consumer Data Protection Act.

ISO 29100 Europe GDPR California CCPA/CPRA Virginia
VCDPA
Personally identifiable information (PII) Personal data Personal information Personal data
PII controller Controller or Data Controller Business Controller
PII principal Data subject Consumer Consumer
PII processor Processor or Data processor Service Provider Processor
Processing Processing Processing Processing
Pseudonymization Pseudonymisation Psudonymization Pseudonymous data
Sensitive PII Special category Sensitive personal information

Sensitive data

Does the ISO 29100 privacy framework tell companies how to score themselves?

Unlike other privacy frameworks that recommend that companies be scored or self-score, using a maturity model (e.g., a score from one to four), the ISO 29100 privacy framework does not identify a specific methodology for assessing compliance or maturity.

 

©2024 Greenberg Traurig, LLP. All rights reserved.

Current Legal Analysis

More from Greenberg Traurig, LLP

California Proposes Revisions to Autorenewal Law
by: Timothy A. Butler , Matthew M. White
USCIS Increases Automatic Extension of Certain Employment Authorization Documents to 540 Days
by: Faraz Qaisrani
China to Relax Foreign Ownership Restrictions in Telecom Sector
by: George Qi , Yuqing (Philip) Ruan
Treasury Department Announces Proposed Regulatory Updates to CFIUS Enforcement Mechanisms and Civil Penalties
by: Kara M. Bombach , Cyril T. Brennan
Failure to Produce Privilege Log
by: Kathryn C. Cole
Court Considers Recusal Standards in CFPB 5th Circuit Suit Over Credit Card Late Fees
by: Tonya M. Esposito , Shirin Afsous
GTDRIVES: Dynamic Dialogues | Maternal Health Disparities [Podcast]
by: Akiesha Gilcrist Sainvil
Tax Court Rejects Constitutional Challenges to International Information Return Penalties
by: Barbara T. Kaplan , Scott E. Fink
Supreme Court Finds FAA ‘Transportation Worker’ Exemption Does Not Require Employment in Transportation Industry
by: Nicholas D. SanFilippo , Shirin Afsous
USCIS Announces Information on EB-5 Regional Center Audits
by: Miriam C. Thompson

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins