The International Organization for Standardization has published a standard for a general data protection management system (DSMS) in 2019. ISO/IEC 27701 describes a DSMS based on an information security management system in accordance with ISO 27001. This special form of DSMS is called a personal information management system (PIMS). The basics for this PIMS are described below. In the process, it is worked out which five main advantages a PIMS offers companies. The free white papers provide further guidance on practical implementation.
- Data protection and information security
- What is a management system anyway?
- The High Level Structure as a blueprint for management systems
- Integrating the GDPR into a management system
- Five advantages of data protection management
- Data Protection and Information Security - Conclusion
- DQS: Simply leveraging Quality.
Data protection and information security
Even in the context of information security, data protection is not a one-time project that is started, run through and completed. Exactly the opposite is the case. Operational data protection is a number of data protection processes that must be permanently available and implementable in organizations, or triggerable by a trigger. Important examples of this are the two data protection processes "ensure data subject rights" and "respond to data protection incidents".
In the data protection world, the use of a data protection management system (DSMS) is seen as the big thing for solving organizations' data protection problems. Why is this so? The answer is relatively simple:
A data protection management system is the framework and driver of operational data protection that organizations must permanently adhere to.
Since May 25, 2018, the European General Data Protection Regulation (GDPR) has simply provided the rules for the DSMS. It formulates strict legal requirements as to what is allowed or prohibited (Business Rules). Germany's DS-GVO (German Basic Data Protection Law) penalties are derived from this. However, it does not make any statement on how to implement the legal data protection requirements.
Data protection and information security - what is a management system anyway?
The definition of a management system is abstract and cannot be operationalized ad hoc. The ISO/IEC 27000:2020 standard defines a management system as a ...
"Set of interrelated and interacting elements of an organization (3.50) to establish policies (3.53), objectives (3.49), and processes (3.54) for achieving those objectives."
Only when the elements of a management system have been defined in more detail can a statement be made as to whether the strict legal and operational data protection requirements of the GDPR are met with the management system specifically in place. The statement that a data protection management system is operated gives no indication of the quality of the DSMS or of the implementation status.
The High Level Structure as a blueprint for management systems
The International Organization for Standardization (ISO) has created a blueprint for management systems called the High Level Structure (HLS). This basic structure contains all the elements that ISO considers relevant for a management system (Appendix 2 to Annex SL of ISO/IEC Directives, Part 1). For this reason, the basic mechanisms of the management system standards are very similar.
The specific DSMS of ISO, the Personal Information Management System(PIMS), therefore has the identical basis as a quality management system according to ISO 9001, an environmental management system according to ISO 14001 or an information security management system according to ISO 27001.
Data protection and information security - integrating the GDPR into a management system
A PIMS in accordance with the international standard ISO/IEC 27701 is universal and not just tailored to the European General Data Protection Regulation. The standard describes a data protection management system based on an information security management system in accordance with ISO 27001, making ISO 27701 suitable for implementing any operational protection of personal data, including California or Japanese data protection law.
ISO/IEC 27701:2021-07- Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines (ISO/IEC 27701:2019).
The standard is available from the ISO website.
BUT: Those who have developed and implemented a PIMS in accordance with the data protection standard - in other words, those who systematically protect and manage their personal data - find it easy to ensure and demonstrate compliance with legal data protection requirements. This is done through the management system mechanism of requirements management. Requirements management is the process of identifying and assessing internal and external requirements and implementing measures to address risks.
What is the difference between data protection and information security?
The fundamental difference between the two topics is simple: information security encompasses all corporate assets to be preserved and serves to protect confidential business information from misuse by third parties. This involves much more than just IT systems. When it comes to data protection, the measures are aimed at protecting personal data. Since May 2018, the EU General Data Protection Regulation has had to be implemented on a binding basis throughout Europe - by all companies and public bodies that process personal data.
Five advantages of data protection management
In the interplay between information security and data protection, a standard should always be understood as a best practice. The concrete implementation of the requirements and measures for data security must be carried out by the user.
The general advantage of the PIMS is the worldwide standardization through the data protection standard and the extensive literature on standard implementation. Admittedly, the standards language "takes some getting used to".
Advantage #1: Assignment of responsibilities
It almost seems to be corporate culture among small and medium-sized enterprises (SMEs) to assign responsibilities unclearly or not at all. It can be observed that in many corporate policies the responsibility for certain activities or assets are not clearly defined and addressed. This is a major shortcoming and leads to gaps and errors in operations.
BUT: Protecting data is a "team sport." Only if all tasks are identified and assigned to responsible parties, and only if these individuals also fulfill their tasks, can your company operate in a data protection-compliant manner.
Data protection is a "team sport": Distributing responsibility is good. Assuming responsibility is better."
By introducing a PIMS, the ownership principle must be introduced into the organization for the scope of the standard. However, the term owner is not to be understood here in its civil law meaning. Rather, in the German language of the standard, owner refers to the responsibility of a person for an asset or the implementation of a requirement or measure.
For example: Maintaining the "Directory of Processing Activities (VVT)" is often delegated to the Data Protection Officer (DPO). Of course, this is complete nonsense and cannot work because the DPO is often not involved in many processing activities at all. In quality management, the process owners perform the process documentation. Top management should delegate this accordingly in data protection as well.
Certificate according to ISO 27701
In terms of certification, ISO 27701 complements the well-known ISO 27001 standard - it will be the first standard to confirm data protection by certificate. DQS is currently in the accreditation process with the German Accreditation Body (DAkkS).
Advantage #2: Operational data protection is risk-oriented
In the German DS-GVO, the European legislator demands a risk-oriented implementation of data security, for example in Article 32 (1) DS-GVO. This risk orientation often does not work in companies where no management system is officially installed. The application of the ISO 27701 data protection standard inevitably introduces risk orientation. Here, the method for data security risk assessment is not prescribed and can - within limits - be determined by the user.
Advantage #3: Change management as a success component
Data security processes can be triggered by a change in the organization. For example, the implementation or adaptation of a business process, a service or a product. Companies without change management have great problems complying with data protection requirements, because changes are regularly handled in a random and uncontrolled manner. This results in a so-called regulatory gap.
"Companies and organizations are constantly changing. Change management also plays an important role in data protection and information security."
A PIMS records and controls these changes with the help of change management and implements them. For example, a change to a business process requires a check for permissibility (legality, data economy, data subject rights, documentation in the VVT, etc.).
For example: The requirement for early involvement of the data protection officer in the design of changes can be achieved quite simply by appointing him to the change team.
Advantage #4: Optimization through a continuous improvement process
Companies are constantly changing. A personal information management system is initially planned, implemented and operated. It is very likely that the first attempt to introduce, implement and operate the system will be suboptimal due to a lack of experience. Even if an experienced consultant is consulted during implementation, stumbling blocks are to be expected.
"Premise: Make information security and data protection systematic and sustainable."
While all PIMS have the identical mechanisms in principle, they are designed differently. Influencing the implementation of the mechanisms can be the size of the organization, the organizational culture, or even the industry focus.
A good sub-mechanism to permanently adapt the PIMS to the changing needs of the organization and interested parties is the continuous improvement process (CIP).
For example: the General Data Protection Regulation requires an information sheet informing customers or, for example, citizens at the time of data collection about the nature and scope of the processing of personal data and related rights. These information sheets according to Article 13 and 14 DS-GVO are published in compliance with the law, however, there are many requests for this information from data subjects. By including these suggestions for improvement, the company recognizes that it can save resources and increase customer satisfaction by optimizing the publication of the information.
Advantage #5: Detailed catalog of measures
As described earlier, ISO 27701 is not tailored to the GDPR. The standard user is responsible for adding the specific requirements of the GDPR to the PIMS.
However, the international standard brings three extensive catalogs of measures for the general implementation of operational data protection:
- Technical and organizational measures,
- Data protection organization at the controller, and
- Data protection organization at the processor.
The good news for the European user is that the authors of the new standard have strongly focused on the General Data Protection Regulation when designing the catalogs of measures. This means that the application of the generic catalogs of measures already maps many of the requirements of the GDPR. Missing requirements are then followed up by requirements management.
The measures are best practices for implementation and written in the style of a manual. In contrast to the GDPR (Business Rules), the measures explain to the user of the standard how implementation must take place. From the author's point of view, this is a very great advantage.
Conclusion: Data protection and information security
Anyone who has developed and implemented a data protection management system (DSMS) in accordance with ISO 27701 - in other words, anyone who systematically protects and manages their personal data - will find it easy to ensure and prove compliance with legal requirements. Properly applied, the standard can prevent many mistakes in the introduction and operation of a DSMS.
"With data protection and information security in mind, ISO 27701 is the long-awaited handbook for implementing the GDPR."
However, certification of the PIMS will only be possible if a certified information security management system according to ISO 27001 is also operated by the company.
DQS: Simply leveraging Quality.
Management system standards provide a systematic and structured framework for taking legal obligations into account and integrating them into business processes. Companies that want to play it safe can have the status of their information security or DS-GVO-compliant implementation audited by an independent body like DQS.
Our core competencies lie in the performance of certification audits and assessments. This makes us one of the leading providers worldwide with the claim to set new benchmarks in reliability, quality, and customer orientation at all times. At the same time, a certified management system for information security and data protection is proof of your company's diligence and foresight in the event of external data attacks.
Trust and expertise
Our texts and brochures are written exclusively by our standards experts or long-standing auditors. If you have any questions about the content or our services to our author, please contact us. We look forward to talking with you.