A common question in the data privacy, compliance and legal community is why ISO27701 was developed by the ISO and released in 2019?
The ISO saw a need for a global data privacy standard which could be mapped to existing standards such as GDPR and state and national data privacy/protection laws. They saw that there was a high likelihood that multinational businesses would struggle to meet all these mandates if there wasn’t some sort of common approach to privacy risk management.
It was also noted by the ISO and others that data privacy risks are not the same as security risks as defined in the ISO27001 standard. Different comparisons between risk types are out there but one we like is, “The difference between data privacy and data security is the difference between protecting someone’s personal information and the security measures you have in place to protect all of your business’ information,” [Greg Ewing, Potomac Law].
Data privacy is a subset of data security hence, ISO 27701 is referred to as an extension of 27001. Data privacy risks deal more with the intent of how the data is used within the context of responsibility and fair use.
Data privacy risk mitigation tools are more specialized and granular than data security tools. A data security tool would more likely be a general device like a firewall, anti-virus server or patch management server which protects the organization at a general level.
A privacy tool would be more like a privacy enhancing technology like software that strips personally identifiable information from a database record and stores it with a reference number instead elsewhere.
ISO 27701 was designed to focus development of products and services on protection of identity of the person and limitation
of how their data is processed over a set period of time.
