I already shared with you yesterday about the upcoming release of ISO 31700. While preparing it, I was sure that questions related to last year’s standard ISO 27701 would come along the way, and I was right. So here is a summary.
ISO 31700 and ISO 27701 will be two different standards that address different aspects of privacy and data protection. While both standards are related to privacy by design and data protection, they have distinct features and intended audiences.
ISO 31700, also known as Privacy by Design (PbD), is a framework for organisations to embed privacy into their operations proactively. It provides guidance on designing capabilities to enable individuals to enforce their privacy rights, assigning relevant roles and authorities, giving privacy information to individuals, conducting privacy risk assessments, establishing and documenting requirements for privacy controls, designing privacy controls, lifecycle data management, and preparing for and managing a data breach. The standard will be adopted as ISO 31700 by International Organization for Standardization (ISO) on Feb 8, 2023.
On the other hand, ISO 27701 is an extension of ISO 27001, the international standard for information security management systems. It provides an additional layer of protection for personal data by specifying the requirements for a privacy information management system (PIMS). The standard provides guidance on establishing, implementing, maintaining, and continually improving a PIMS. This includes, but is not limited to, the management of personal data breaches, privacy impact assessments, and the implementation of privacy controls.
The main difference between ISO 31700 and ISO 27701 is their intended audiences. ISO 31700 is intended for organisations of all sizes and industriesand focuses on proactively embedding privacy into operations design. On the other hand, ISO 27701 is intended for organisations that handle personal dataand focuses on managing personal data and data breaches. Organisations that achieve certification for both ISO 31700 and ISO 27701 will have a comprehensive privacy management system that covers both the proactive embedding of privacy and the management of personal data.
So, while both ISO 31700 and ISO 27701 address different aspects of privacy and data protection, they complement each other in providing a comprehensive privacy management system. Organisations that handle personal data can benefit from implementing both standards, as they offer a holistic approach to protecting personal data, from proactively embedding privacy into the design of operations to managing personal data and data breaches.