ISO 27701 and missing GDPR Controls

The ISO 27701 standard makes some additional control recommendations that are supposed to supplement ISO 27002 controls guidance.

The ISO 27701 is clearly intended to be a generic Privacy controls framework. How do the controls stack up to the requirements of the GDPR?

The GDPR is actually quite prescriptive in the controls that need to be put in place to comply with the legislation. It mandates certain processes and even tells you what they need to contain.

The Record of Processing is one such example. We get given a field level description of what should be held against each Record of Processing. It is almost a Database Schema.

This is a Universe away from the ISO 27001 standard. The ISO 27001 Standard treads on eggshells to make sure it is not mandating any particular way of protecting something. This difference can be highlighted by the fact that the word “encryption” or “encrypt” does not appear anywhere in the actual ISO 27001 standard.

So how well do the ISO 27701 additional controls do at implementing what is required for the GDPR?

A quick read through the GDPR (ok, a really long and painful read through) suggests a list of proposed controls from the GDPR.

Pseudonymisation

Pseudonymisation does not appear in the ISO 27701 standard at all. It refers to a generic “de-identification” term which has no specific controls.  Even before we get to any Articles in the GDPR, Clause 29 of the GDPR preamble refers to the following for pseudonymisation:

(29) In order to create incentives to apply pseudonymisation when processing personal data, measures of pseudonymisation should, whilst allowing general analysis, be possible within the same controller when that controller has taken technical and organisational measures necessary to ensure, for the processing concerned, that this Regulation is implemented, and that additional information for attributing the personal data to a specific data subject is kept separately. The controller processing the personal data should indicate the authorised persons within the same controller.

So we need a control/process that defines how the data is separated and how that separation is maintained for any Pseudonymised Data.

Appropriate additional guidance may be:

Create a method of how Pseudonymisation should be used and maintained within the organisation. I think it makes sense to incorporate this control within the Privacy by Design/Default Standard, which will indicate how this control should operate within the organisation.

Consent Processing

In Clause 32, we have a very prescriptive description of how consent should be received. Further clauses relate to the retention and evidencing of that clear consent.

(32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.

So we have another control point requirement that would describe how the consent lifecycle is managed within the organisation. This should live in a standard that describes how the organisation will deal with the legal basis for processing of personal data.

Legitimate Interests

Clause 47 requires that a balancing test be done whenever legitimate interests are used as the legal basis for processing. This indicates that a Legitimate Interest Assessment process is required.

(47) The legitimate interests of a controller, including those of a controller to which the personal data may be disclosed, or of a third party, may provide a legal basis for processing, provided that the interests or the fundamental rights and freedoms of the data subject are not overriding, taking into consideration the reasonable expectations of data subjects based on their relationship with the controller. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller. At any rate the existence of a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place. The interests and fundamental rights of the data subject could in particular override the interest of the data controller where personal data are processed in circumstances where data subjects do not reasonably expect further processing. Given that it is for the legislator to provide by law for the legal basis for public authorities to process personal data, that legal basis should not apply to the processing by public authorities in the performance of their tasks. The processing of personal data strictly necessary for the purposes of preventing fraud also constitutes a legitimate interest of the data controller concerned. The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.

ISO 27701 makes no reference to a Legitimate Interest Assessment or balancing test as a control. This should be added as additional guidance.

Further Processing

Clause 50 indicates that where processing of personal data is considered other than for which it was originally collected, the controller should assess whether the further processing is compatible with the purpose the data was originally collected.

(50) The processing of personal data for purposes other than those for which the personal data were initially collected should be allowed only where the processing is compatible with the purposes for which the personal data were initially collected. In such a case, no legal basis separate from that which allowed the collection of the personal data is required. If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, Union or Member State law may determine and specify the tasks and purposes for which the further processing should be regarded as compatible and lawful. Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes should be considered to be compatible lawful processing operations. The legal basis provided by Union or Member State law for the processing of personal data may also provide a legal basis for further processing. In order to ascertain whether a purpose of further processing is compatible with the purpose for which the personal data are initially collected, the controller, after having met all the requirements for the lawfulness of the original processing, should take into account, inter alia: any link between those purposes and the purposes of the intended further processing; the context in which the personal data have been collected, in particular the reasonable expectations of data subjects based on their relationship with the controller as to their further use; the nature of the personal data; the consequences of the intended further processing for data subjects; and the existence of appropriate safeguards in both the original and intended further processing operations. Where the data subject has given consent or the processing is based on Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the controller should be allowed to further process the personal data irrespective of the compatibility of the purposes. In any case, the application of the principles set out in this Regulation and in particular the information of the data subject on those other purposes and on his or her rights including the right to object, should be ensured. Indicating possible criminal acts or threats to public security by the controller and transmitting the relevant personal data in individual cases or in several cases relating to the same criminal act or threats to public security to a competent authority should be regarded as being in the legitimate interest pursued by the controller. However, such transmission in the legitimate interest of the controller or further processing of personal data should be prohibited if the processing is not compatible with a legal, professional or other binding obligation of secrecy.

This would indicate that in cases of Further Processing, an assessment should be conducted to determine if the further processing is compatible with the original purpose. To be called the Further Processing Assessment.

The ISO27701 Standard refers to “extending the purposes for the processing of PII” but does not include this specific control requirement.

Disproportionate Effort

Clauses 61 and 62 lay out a requirement to notify the data subject if their data will be used for a further purpose. Clause 63 states that this is not required, should the activity in volve a disproportionate effort.

(61) The information in relation to the processing of personal data relating to the data subject should be given to him or her at the time of collection from the data subject, or, where the personal data are obtained from another source, within a reasonable period, depending on the circumstances of the case. Where personal data can be legitimately disclosed to another recipient, the data subject should be informed when the personal data are first disclosed to the recipient. Where the controller intends to process the personal data for a purpose other than that for which they were collected, the controller should provide the data subject prior to that further processing with information on that other purpose and other necessary information. Where the origin of the personal data cannot be provided to the data subject because various sources have been used, general information should be provided.

(62) However, it is not necessary to impose the obligation to provide information where the data subject already possesses the information, where the recording or disclosure of the personal data is expressly laid down by law or where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort. The latter could in particular be the case where processing is carried out for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. In that regard, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration.

This would indicate a need for a Disproportionate Effort Test, which can evidence that notification to the data subject was considered and rejected due to the disproportionate effort involved.

The ISO 27701 Standard does not have an additional control for this Disproportionate Effort Test.

Controller Notification

Clause 66 indicates that where a controller has made personal data public, they should be required to inform other controllers using that data to any right to erasure request.

(66) To strengthen the right to be forgotten in the online environment, the right to erasure should also be extended in such a way that a controller who has made the personal data public should be obliged to inform the controllers which are processing such personal data to erase any links to, or copies or replications of those personal data. In doing so, that controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of the data subject’s request.

There is no additional control in IS0 27701 that would map to this GDPR requirement.

Effectiveness of Measures

Clause 74 states the following:

The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller’s behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons.

There needs to be a method for measuring the effectiveness of the measures. This runs deeper that the monitoring and continuous improvement parts of ISO 27701 / ISO 27001.

The Controller has to show that the measures in place are effective for the purposes intended. This would assume a method of monitoring, measurement, assessment and adjustment as required to maintain effective controls.

The ISO 27701 Standard relies on the underlying ISO 27001 Monitoring and continuous Improvement clauses which are not sufficient to meet this requirement. Additional controls should be implemented to ensure effectiveness can be displayed.

More to come in Part 2.

Leave a Comment

Your email address will not be published. Required fields are marked *