TECHNOCRAT CONSULTANTS is the leading consulting firm to introduce this new standard of ISO 27701:2019 to protect privacy within the organisation and for its stakeholders including customers.
ISO 27701 Privacy Information Management System (PIMS), an extension to ISO 27001 Information Security Management System (ISMS), can support your organisation in meeting the regulatory requirements and manage privacy risks related to Personally Identifiable Information (PII).
- Support compliance to privacy regulations – such as the European Union General Data Protection Regulation (EU GDPR) and local privacy law & regulations such as Personal Data Protection Act (PDPA) in India.
- Provide confidence to stakeholders and customers – that you are maintaining the highest standards in managing privacy risks related to PII.
- Clear roles & responsibilities – for PII controllers and PII processors holding responsibility and accountability for PII processing.
- Minimise risks – of disruptions of critical processes and financial losses associated with a breach.
Promises of compliance without proof is potentially risky
Modern organisations engage in complex data transfers with a deep network of business partners including partner organisations or co-controllers, processors such as cloud providers, and sub-processors such as vendors who support those same processors. Failure to comply with regulations in any part of this network may lead to cascading compliance issues across the supply chain. This is where a verification of compliance can be valuable beyond the assurance provided by contractual terms between these organisations. Since the global economy dictates that most of these organisations are spread out around the world, it is practical to use an international standard from ISO to manage compliance across the network.
This reliance on compliance increases the importance of certification to the standard. While not all companies and organisations need to earn such certification, most will benefit from partners and vendors who do, especially when sensitive or high volumes of data processing are involved.
What should your organisation do with PIMS?
No matter the size of your organisation and whether it is a controller or a processor, your organisation should consider pursuing certification, either for your own organisation, or requesting it from vendors or suppliers based on your business requirements. This applies especially for processors, sub-processors, and co-controllers that are processing sensitive or high volumes of personal data. In any case, your organisation should assess its business needs to determine if a certification for its own products and services is suitable.
