ISO 27701 is a framework for data privacy that builds on ISO 27001. This latest privacy best practice guides organizations on policies and procedures that should be in place to comply with GDPR and other data protection/privacy regulations and laws.
The ISO 27701 standard, a PIMS (Privacy Information Management System) standard, lays out a detailed set of operational checklists that can be adapted to a variety of regulations, including GDPR. Companies document their policies, procedures, protocols and activities in line with the standard’s operational checklists, with records then audited by internal and third-party auditors, resulting in detailed proof of compliance with the standard. ISO 27701 helps companies to maintain an effective privacy and information security system and reduce privacy risks.
An important feature of ISO 27701 is its versatility. Just as ISO 27001 works for all organizations, so does ISO 27701. It has been written in such a way that it can be used by organizations of all sizes and from all business sectors. It is also structured in such a way that it clearly differentiates the guidance for PII controllers and PII processors.
Cookie and consent management refers to the process of obtaining user consent for the use of cookies on a website and managing the cookies that are collected from users.
Privacy Rights Management refers to the practices and technologies used to protect and manage the privacy rights of individuals, including the control and management of personal data.
Data mapping data visualization refers to the process of visually representing data flows, relationships, and dependencies between different data sets, sources, and systems to improve understanding and analysis of complex data structures.
Privacy Impact Assessment (PIA) is a process that evaluates the potential privacy risks and impacts associated with the collection, use, and sharing of personal data, and identifies ways to mitigate those risks.
Third party risk management involves the identification, assessment, and mitigation of potential risks that may arise from the use of third-party vendors, contractors, and partners who have access to sensitive information or systems within an organization.
Policy design/maintenance involves the creation, implementation, and updating of policies and procedures that govern the management, protection, and use of sensitive information within an organization.
An integrated data security solution refers to a comprehensive approach to securing sensitive data that combines multiple security technologies and tools, such as encryption, access controls, and threat detection, into a single, cohesive system.
A privacy incident refers to any event or occurrence that compromises the confidentiality, integrity, or availability of personal data, and may result in unauthorized access, disclosure, or loss of such data.
ISO 27701 has been designed to be used by all data controllers and data processors. Like ISO 27001, it advocates a risk-based approach so that each conforming organization addresses the specific risks it faces, as well as the risks to personal data and privacy.