March 23, 2023

Volume XIII, Number 82


March 23, 2023

Subscribe to Latest Legal News and Analysis

March 22, 2023

Subscribe to Latest Legal News and Analysis

March 21, 2023

Subscribe to Latest Legal News and Analysis

March 20, 2023

Subscribe to Latest Legal News and Analysis

ISO/IEC 27701 Released as a New Standard for Privacy Compliance

ISO/IEC 27701 At-A-Glance

  • ISO/IEC 27701 is a new, privacy-oriented standard that builds upon the well-known ISO/IEC 27001 security standard.

  • Certification to ISO/IEC 27701 (when available) will require certification to ISO/IEC 27001 first.

  • While ISO/IEC 27001 provides controls for general security measures, ISO/IEC 27701 focuses on new requirements and controls, along with implementation guidance, directed specifically at protecting personal information.

  • ISO/IEC 27701 may be used to demonstrate compliance and accountability with various privacy regimes throughout the world, including the GDPR.

  • Businesses may want to include contractual obligations requiring vendors who handle sensitive personal information to comply with or, where appropriate, become certified under ISO/IEC 27701.

  • Vendors handling personal information may want to proactively begin efforts to build on ISO/IEC 27001 compliance and become compliant with and/or certified under ISO/IEC 27701.

On August 6, 2019, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) released ISO/IEC 27701, a privacy extension to ISO/IEC 27001 and ISO/IEC 27002 designed to help organizations protect and control the personal information they handle. Similar to the existing ISO standards that ISO/IEC 27701 supplements, this new ISO standard may become the de facto standard of care for organizations to protect personally identifiable information (PII) and may be used to demonstrate compliance with privacy regulations around the globe, including the General Data Protection Regulation (EU) 2016/679 (GDPR).

What is ISO/IEC 27701?

Originally developed as ISO/IEC 27552, ISO/IEC 27701 provides specific requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) as an extension of the flexible Information Security Management System (ISMS) defined in ISO/IEC 27001 to take into account the privacy protections required for processing PII in addition to information security. Like the ISO/IEC 27001 standard, ISO/IEC 27701 does not expect organizations to adopt each and every control in all situations. Instead, it requires organizations to understand the particular context in which they process PII and adjust the particular set of controls and related implementation of those controls in a way that is appropriate to their processing activities.

To better understand the new standard, the following key terms should be understood: controllers, joint controllers, processors, and sub-processors. These or similar terms are found in many privacy laws and regulations, including the GDPR. Generally, a “controller” is the entity that directs the reason why PII is collected and processed in the first place, and “joint controllers” are two or more entities that jointly provide this direction. A “processor” is a separate legal entity (i.e., not an employee) responsible for processing such data on behalf of that controller, and a “sub-processor” is a processor engaged by another processor.

The newly published standard applies to both controllers (as well as joint controllers) and processors (including sub-processors) of PII, regardless of the jurisdictions and sectors in which they operate, and also includes mappings to the GDPR and to the ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151 security frameworks. Mappings of the ISO/IEC 27701 requirements to other privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), should be expected and will likely aid organizations by providing a common standard for demonstrating compliance with these regulatory regimes.

A high-level overview of certain key ISO/IEC 27701 requirements applicable to controllers and processors is provided below:

Requirements Applicable to Controllers and Processors

Confidentiality. Individuals authorized to access PII must execute a confidentiality agreement.

Analyze Risk. A privacy risk assessment must be conducted to identify PII processing risks.

Oversight. Organizations must appoint an individual who is responsible for developing, implementing, maintaining, and monitoring their governance and privacy program.

Training. Privacy awareness training for personnel that have access to PII is required.

Internal Processes. Organizations must adopt various policies and procedures, such as incident response plans for breaches of PII.

Record Keeping. ISO/IEC 27701 requires organizations to maintain a record of all PII processing activities, including PII transfers between jurisdictions and disclosures to third parties.


Controller-Specific Requirements

Privacy Notices. Organizations must provide a privacy policy containing specific information regarding the collection, use, and processing of PII.

Processor Contract Requirements. Organizations must have a written contract in place with their processors that addresses specific items, such as protecting PII, limiting processing to the specific purpose for which the PII was collected, and providing notification for breaches of PII.

Individuals’ Rights. ISO/IEC 27701 requires organizations to implement mechanisms to accommodate individuals’ rights to access, correct, and erase their PII, as well as object to, or restrict, the processing of PII, among others.

Privacy by Design and Default. Organizations must adopt measures that operationalize the principles of privacy by design and default.


Processor-Specific Requirements

Processing Limitations. Organizations must process PII only on the documented instructions of the controller or processor (depending on the role of the customer).

Assist with Individuals’ Rights. ISO/IEC 27701 requires processors to implement measures that assist the customer in complying with the rights of individuals.

Transfers and Disclosures. Processors must inform the customer in advance of PII transfers between jurisdictions or any intended changes thereof.

Subcontractors. ISO/IEC 27701 requires processors to only engage a subcontractor for processing PII pursuant to the terms of the customer contract.

Benefits of ISO/IEC 27701

Compliance with ISO/IEC 27701 first requires compliance with the requirements of ISO/IEC 27001. They are intended to complement each other. Organizations that follow the requirements of ISO/IEC 27701 will create documentary evidence of how they handle the processing of PII, which may be used to facilitate agreements with business partners where the processing of PII is relevant and to clarify the organization’s processing of PII with other stakeholders. Although the GDPR does not yet have an accredited certification method, according to recent reports, ISO/IEC 27701 could change that in the very near future.

What Should You Do?

Customers engaging vendors to process and maintain PII on their behalf should consider contractually requiring those vendors to comply not only with ISO/IEC 27001, but also with ISO/IEC 27701 or to become certified under this standard if appropriate to the sensitivity of the data. Even if the customer does not require vendors to be certified by an independent third party as compliant with the new standard, they may still want to update their contracts to ensure the vendor can comply with requirements of ISO/IEC 27701. Since ISO/IEC 27701 is still very new, a reasonable time delay for vendors to comply with the requirements of this new standard would be appropriate to include in these contracts.

Organizations that are ISO/IEC 27001 certified and looking to implement the requirements of ISO/IEC 27701 should consider taking the following steps:

  • Perform a gap assessment of the existing ISMS to the requirements of ISO/IEC 27701 and produce an action plan on how to address those gaps.

  • Conduct a data mapping of the PII collected by the organization to understand the scope of PII collected and how it is used and shared with processors.

  • Determine the organization’s role as a controller and/or processor based on internal or external factors that are relevant to its context, such as applicable privacy legislation, regulations, judicial decisions, or contractual requirements (among others).

  • Review and update privacy policies to ensure they contain the required information.

  • Develop policies and procedures applicable to the organization’s role.

  • Begin the planning and implementation of the privacy by design and default principles.

Looking Forward

All around the world, lawmakers and regulators are introducing new laws governing the use of data, especially PII. Most recently, the advent of the GDPR has caused many businesses, customers, and vendors to scramble to achieve compliance. This changing legal environment raises challenges for all businesses, but especially those that must comply with regulations in multiple jurisdictions. Rather than trying to deal with each new law individually and locally, the new ISO/IEC 27701 standard will provide a harmonized way to decide, plan, implement, and document an organization’s approach to data privacy worldwide.

No matter the size of an organization and whether it is a controller or processor of PII, businesses should consider either pursuing an ISO/IEC 27701 certification for their own organization or requesting certification from their vendors. This is especially true for processors, sub-processors, and joint controllers that are processing sensitive or high volumes of PII.

© 2023 Foley & Lardner LLPNational Law Review, Volume IX, Number 252

About this Author

Samuel Goldstick, Foley Lardner Law Firm, Chicago, Cybersecurity and Healthcare Law Attorney

Samuel (Sam) Goldstick is a data privacy and cybersecurity associate at Foley & Lardner LLP. He is a member of the firm’s Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices, as well as Technology and Health Care Industry Teams. He also is accredited by the International Association of Privacy Professionals (IAPP) as a Certified Information Privacy Professional in both the United States and Europe (CIPP/US and CIPP/E).

Prior to joining Foley, Mr. Goldstick was an associate at a prominent law...

Steven Millendorf, Technology Attorney, Foley and Lardner Law Firm

Steven Millendorf is an associate and intellectual property lawyer with Foley & Lardner LLP. He has experience drafting, reviewing and revising technology agreements, including protections for privacy and data security. Mr. Millendorf regularly tracks changes to state breach notification laws and revises Foley’s nationally published state data breach notification database. He also has experience in defending electronics and telecommunications clients in IP litigation matters. Mr. Millendorf is a member of the firm’s Technology Transactions & Outsourcing,...

Michael R. Overly, Intellectual Property Attorney, Foley lardner Law Firm

Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law. Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security &...

Jennifer L. Rathburn iFoley & Lardner LLP Milwaukee data protection programs, data incident management lawyer

Jennifer L. Rathburn is a partner with Foley & Lardner LLP. Ms. Rathburn focuses on counseling clients on data protection programs, data incident management, and breach response and recovery, as well as the monetization of data, the Health Insurance Portability and Accountability Act (HIPAA), and other privacy and security issues. She is one of the founders of the Midwest Cyber Security Alliance and has a deep understanding of the complex risk, operational, and legal issues companies must address to maintain the confidentiality of, access to, and integrity of their...