A good sub-mechanism to permanently adapt the PIMS to the changing needs of the organization and interested parties is the continuous improvement process (CIP).
For example: the General Data Protection Regulation requires an information sheet informing customers or, for example, citizens at the time of data collection about the nature and scope of the processing of personal data and related rights. These information sheets according to Article 13 and 14 DS-GVO are published in compliance with the law, however, there are many requests for this information from data subjects. By including these suggestions for improvement, the company recognizes that it can save resources and increase customer satisfaction by optimizing the publication of the information.
Advantage #5: Detailed catalog of measures
As described earlier, ISO 27701 is not tailored to the GDPR. The standard user is responsible for adding the specific requirements of the GDPR to the PIMS.
However, the international standard brings three extensive catalogs of measures for the general implementation of operational data protection:
- Technical and organizational measures,
- Data protection organization at the controller, and
- Data protection organization at the processor.
The good news for the European user is that the authors of the new standard have strongly focused on the General Data Protection Regulation when designing the catalogs of measures. This means that the application of the generic catalogs of measures already maps many of the requirements of the GDPR. Missing requirements are then followed up by requirements management.
The measures are best practices for implementation and written in the style of a manual. In contrast to the GDPR (Business Rules), the measures explain to the user of the standard how implementation must take place. From the author's point of view, this is a very great advantage.
Conclusion: Data protection and information security
Anyone who has developed and implemented a data protection management system (DSMS) in accordance with ISO 27701 - in other words, anyone who systematically protects and manages their personal data - will find it easy to ensure and prove compliance with legal requirements. Properly applied, the standard can prevent many mistakes in the introduction and operation of a DSMS.