In my previous post, we left the GDPR review at Clause 74. This was quite a deliberate breakpoint, as Clause 75 and 76 take us straight into the meat of the DPIA (Data Protection Impact Assessment).
Privacy Impact Assessment
The ISO 27701 Standard refers to a Privacy Impact Assessment as a method to determine the risk to the PII Principals. The GDPR term for PII Principals is Data Subjects. So we are talking about the risk to the Data Subjects rights.
In the implementation guidance for the Privacy Impact Assessment in ISO 27701, it states that the Organisation should determine the elements that are necessary for the completion of a privacy impact assessment. This is a little loose as it implies a level of self-determination that is not possible under the GDPR.
The GDPR is very prescriptive (in Clause 75) on what elements are required to be considered as part of such an assessment.
In theory, under ISO 27701 you could arrive at a Privacy Impact Assessment that did not cover all of the requirements of the GDPR DPIA.
Clause 76 explains that the reasoning behind the requirement for the DPIA is to essentially create two buckets of personal data. A “Risk” bucket and a “High Risk” bucket. The ISO 27701 Standard does not seek to create two buckets, but suggests a risk gradient.
The ISO 27701 Standard also offloads implementation guidance to the ISO 29134 Standard, which is unhelpful from the standpoint of GDPR controls, as it takes implementers further down a non-compliance with the GDPR route. All of these issues are non-terminal, but it does mean the Privacy Impact Assessment in the ISO 27701 Standard and the DPIA referenced in the GDPR, are not equivalent items.
You will need to explain how you have incorporated the requirements of the GDPR, in order to conduct a Privacy Impact Assessment that complies with the Regulation.
Privacy by Design and Privacy by Default
The GDPR prescribes the adoption of policies (in Clause 78) to ensure the implementation of measures and controls for Privacy by design and default. The ISO 27701 Standard does not make that requirement explicit. Whilst there is a section on Privacy by Design in the ISO 27701 Standard, it does not start from the principal of a requirement for a Policy specific to how Privacy by Design is to be incorporated into the organisation.
In order to comply with the GDPR requirements, you should be implementing Privacy by Design and Privacy by Default from a Policy driven perspective.
It is strange that a Standards Body that prescribes a Policy based approach for ISO 27001 and other elements within ISO 27701, has missed the opportunity to drive this policy approach in this section, when it is a requirement of the legislation.
I understand that the ISO 27701 is generic and not purely about the GDPR, but Policy-driven is a fundamental point that should be being reinforced across the whole Standard.
Control of Processors by Contract
The ISO 27701 Standard makes reference to the need for Controllers to bind Processors by contract to a specific set of Privacy based controls. It does not provide for standard contractual clauses within this set of controls.
In order to satisfy the GDPR, Controllers should ensure that standard contractual clauses are embedded into third party contracts, and the Controller should not rely solely on the additional controls prescribed by the ISO 27701 Annex B controls.
Consultation with the Authority
There are a number of instances in the GDPR, where a requirement to consult with the Supervisory Authority is a requirement. One such example is in Clause 94, where if a DPIA is undertaken and is evaluated as a high-risk, but the controller cannot see a way of mitigating the high-risk.
This clearly requires a process to be created that simplifies the consultation and provides all the necessary details for the Authority to provide a response.
There is no such consultative requirement in the ISO 27701 Standard. The ISO Standard is mute on what should happen if a Privacy Impact Assessment is conducted and the Controller does not believe there are any mitigations that can be put in place to improve the risk.
This process needs to be created and added as a control to your Privacy Management System as a requirement for compliance with the GDPR.
It is unlikely that this process will be used very often, but it is a very simple auditing check to verify its existence, and the GDPR does mandate that this action must be referred to the Authority if it arises.
In summary, it would be inaccurate to assume that by simply implementing all of the controls recommended within ISO 27701, you have somehow complied with all of the requirements of the GDPR.
There is still some work to be done to bend ISO 27701 controls to fit with a GDPR certification scheme.
As outlined in these two posts, the changes are not massive, but it requires a clear list of specific GDPR requirements to be added to the ISO 27701 Standard as an appendix before it can be considered as a GDPR certification mechanism.