About ISO 27701 (Data Privacy Extension to ISO 27001)
ISO 27701:2019 is an extension of ISO 27001 that addresses data privacy concerns. Published in October 2019, this standard provides a framework for organizations seeking to establish a system to ensure compliance with the EU’s GDPR, California’s CCPA, and other data privacy regulations. While ISO 27001 sets the framework for an organization’s Information Security Management System (ISMS), ISO 27701 expands on this and establishes a Privacy Information Management System (PIMS), specifically addressing the following:
- Lawful, fair and transparent processing
- Limitation of purpose, data and storage
- Data subject rights
- Consent Management
- Personal data breaches
- Privacy by design
- Data protection Impact assessment
- Data transfers
- Data protection officer
- Awareness and training
Does your company require it?
Yes. If your company handles personal data, personally identifiable information, or sensitive personal data by processing, storing, using, profiling, transmitting, maintaining, or changing it. In that case, it is recommended to implement a management system in compliance with ISO 27701. Your company can be classified as either a Controller or a Processor (as defined by GDPR).
A Controller is a direct custodian responsible for processing personal data from a GDPR perspective. A Processor is associated with or contractually bound to process personal data on behalf of a Controller company.
What Is Required to be 27701 Compliant?
Univate will help you set up operationalize policy, procedure, controls, processes, documentation, need to be fully complaint to 27701 requirements. It also covers necessary technical controls, Data Protection Impact Assessment (DPIA), application controls, setting up DPO office, mandatory data breach reporting process required.
How can Univate help you?
Univate can assist you in establishing and operationalizing policies, procedures, controls, processes, and documentation necessary for full compliance with ISO 27701 requirements.
Our services also include the following:
- Implementing essential technical controls.
- Conducting Data Protection Impact Assessments (DPIA).
- Establishing application controls.
- Setting up a Data Protection Officer (DPO) office.
- Implementing mandatory data breach reporting processes.
Why Univate? How we stand out?
Univate has been involved several organisations in different industry segments across the world in the 27701 implementation and compliance initiatives. Univate have unique approach to ensure that all organizational business functions and processes (Products, Services, client facing activities, internal operations, cloud instances) are 27701 compliant. Univate would advise, support documentation and implementation and ensure that all the appropriate technical and organizational Controls/Safeguards are in place as per the standard requirements.
With more than 30 implementations over last 4 years, Univate has plenty of experience and expertise to take your organization through the implementation and compliance audit.
Salient features of our engagement approach are:
- Unique and Proven engagement approach
- End to end documentation
- Training on the 27701 details and impact on organisation and we provide training materials and handholding
- Complex client implementation experience in different countries
- Cost arbitrage
- Reduce management time required
- Reduce the cost of sustenance
- Our unique automation tool automates managing the 27701 controls
- Our compliance framework generates the Compliance scorecard time to time
We provide Data Protection assessments, reviews and gap assessments wrt. 27701 to help companies adopt and implement the management system.
Our assessment and implementation support methodology addresses the key areas like:
- GAP analysis report with Remediation action with recommendations.
- Practical Road Map for design, rollout and institutionalisation of recommended controls
- Training, course materials and certificates to participants
- Identified Roles and responsibilities wrt. 27701 compliance requirements.
- Conducting Data Protection Impact Assessment (DPIA)
- Data Protection Policy, Procedure, Manual, Work instruction documentation
- Recommendation of best practices for Data protection by design
- Framework for Internal Audits and Audit Reports for PDPL, DPL & GDPR, ISO 27701 Compliance
- DPO office roles and responsibility establishment
- Support remediation of Governance controls and Recommendation and Oversight for all technical control implementation
- Final assessment and ensuring formal closure of all GAPs, Action items and FINAL COMPLIANCE SCORE CARD Ratings
- Management status report for PDPL, DPL, 27701 & GDPR initiative
- Transition document/ kit for Data protection officer
Benefits of being ISO 27701 compliant:
- Higher credibility and trust with business partners
- Better understanding and management of personal data
- Easier business process automation
- Strong brand reputation
- Minimize legal risks
- Transparency with customers