Monitoring controls for ISO 27001 have been around for a while. Even back in the days of BS7799 (yes, I’m that old), there were well laid out plans for what should be monitored and why.
I’m going to have a crack at monitoring controls for ISO 27701, for the additional controls introduced by ISO 27701, with reference to the GDPR.
Conditions for Collection and Processing of PII
In order to comply with the GDPR, our processing has to be lawful and each type of processing must have a legal basis upon which it is being processed.
The control to be applied is to bring this into your business lifecycle, such that new opportunities for business pick up on this requirement right from the start.
Once the opportunity has crystalised and you start talking about money and contracts, the lawfulness and legal basis for any personal data involved should also be crystalised.
Contract change control then needs to pick up on any new data being introduced in the middle of a contract. We need to know whether the processing is still lawful and the legal basis is still correct as a result of any agreed change.
So in order to ensure that lawfulness and legal basis are controlled, we have a two stage process. One at the beginning of contract negotiations to catch new data and one to catch new data during the change management process.
Ok. So we can put some things in place to do this, but what needs to be monitored, if anything and is it important enough to monitor?
It would seem that the lawfulness and legal basis for processing are critical to the success of the PMS, so I submit that we should be monitoring this control.
But surely there is nothing to monitor? You stick a tag on the data at the front as it comes in and you make sure it doesn’t change in the middle?
Winning New Business
Unfortunately, winning business has never been this straightforward. We have to remember that we are dealing with salespeople here and if ever there was a team of people that you could rely on to exploit any weaknesses in your compliance processes, this is the bunch.
They will find a way to bring business into the organisation by any means possible (I am not claiming any illegality, but if there is a side door available, they will take it). So you need to expect data landing on the organisation that has magically missed your front door control.
A well-used example is the contract renewal.
“We didn’t need to go through an approval process because it was just an extension to an existing contract.”
If you have attached your data compliance process to your existing approval process for winning new business, you have just missed this data.
So you may want to look at the data you look after from another lens or vista.
If you are processing data, you can be guaranteed to be charging someone for the privilege. So your accounting system will know about all the work that is currently being worked on, that the organisation is charging a client for.
Maybe it is possible to cross-check the new business process activity registered, with the workcodes being charged to see if there is a delta. This would check that every piece of work had been caught by the front-door or you had picked it up and validated it from your billing system.
This approach covers data processing in general. It would also apply to understanding which data processing activities were being done under a compliant contract (after all, if you have only just renewed the contract, who would have added the data protection clauses?).
Another monitoring check could be to make sure that all processing is in the ROPA (cross check), or that all processing that uses legitimate interests as a legal basis, has a Legitimate Interests Assessment for it.
I think we have shown that it is possible to monitor these controls and that such monitoring would gradually improve the compliance of the organisation.
Consent as a legal basis
Just as we have monitoring opportunities for legitimate interest processing, so we have opportunities for consent processing. In fact, we have many more due to the number of hoops that have to be jumped through to successfully use consent as a legal basis of processing.
You could check that all ROPA entries that are marked with consent as the legal basis, have consent associated with them, that they are stored where they need to be stored, etc, etc.
As with all monitoring activities, you first examine the broad Universe of things that you could monitor, and then you apply cost and effort to the calculation so that you boil down the long list of possibles into a short list of cheap and easy to implement.
Privacy Impact Assessments
The Data Protection Impact Assessment (DPIA) requirement within the GDPR, requires some very specific rules and conditions. Each of these is a possible monitoring check. You can provide a monitoring check that ensures that all processing that is high-risk has an associated DPIA. Or you can check that the original DPIA was completed correctly by reviewing a sample.
Each high risk processing activity should have a DPIA against it.
If you apply a greater level of security controls for high risk data, your monitoring control could be to check that these additional controls have been enabled for every high risk processing activity.
Monitoring has always been about samples and spot checks. You cannot review everything. You have to agree the most important things to check, and then perform them in a cost effective way.
Contracts with Third Parties
Where you know you have handed processing to a third party, you can check to ensure the contract is compliant, a risk assessment was conducted if appropriate, additional controls were enabled as a result, etc.
You may have residual risks with your supplier as part of your Third Party Security Assurance process.
Monitoring the progress of risk reduction in your Third Party Security Maturity Matrix is also a valid option of monitoring the effectiveness of the Third Party Assurance control.
More in Part 2.