Compliance is a vital part of any privacy protection operation – organisations need to be able to demonstrate that they are fulfilling their obligations towards PII, and the systems that are used to store and process privacy-related material.
ISO 27701 6.15 deals with compliance in two main areas – compliance with legal and contractual requirements, and information security reviews (the latter being the main vehicle to uncover instances of non-compliance, and resolve any privacy-related issues).
Four sub-clauses contain information that is relevant to UK GDPR legislation – we’ve provided the article references underneath each sub-clause for your convenience:
Organisations should conform to legal, statutory, regulatory and contractual requirements when:
Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.
Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.
When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:
To safeguard any data, software or assets that could be deemed intellectual property (IP), organisations should:
Book a tailored hands-on session
based on your needs and goals
Book your demo
Organisations should consider record management across 4 key areas:
To maintain a functional records system that safeguards PII and privacy-related information, organisations should:
Organisations should treat PII as a topic-specific concept that needs to be addressed within the scope of numerous distinct business functions.
First and foremost, organisations should implement policies that cater to three main aspects of PII processing and storage:
Organisations should ensure that all employees are aware of their obligations towards handling PII, not merely those that encounter it daily as part of their job.
Organisations should appoint a Privacy Officer, whose job it is to provide guidance to employees and third-party organisations on the subject of PII, alongside offering advice to senior management on how to maintain the integrity and availability of privacy information.
See ISO 27701 Clause 6.15.1.1
Book a tailored hands-on session
based on your needs and goals
Book your demo
We can’t think of any company whose service can hold a candle to ISMS.online.
Organisations should develop processes that cater for independent reviews of their privacy information security practices, including both topic-specific policies and general policies.
Reviews should be conducted by:
Reviews should be independent and carried out by individuals with sufficient knowledge of privacy protection guidelines and the organisations own procedures.
Reviewers should establish whether privacy information security practices are compliant with the organisation’s “documented objectives and requirements”.
As well as structured periodic reviews, organisations may come across the need to conduct ad-hoc reviews that are triggered by certain events, including:
Organisations need to ensure that personnel are able to review privacy policies across the full spectrum of business operations.
Management should develop technical methods of reporting on privacy compliance (including automation and bespoke tools). Reports should be recorded, stored and analysed to further improve PII security and privacy protection efforts.
Where compliance issues are discovered, organisations should:
It is vitally important to enact corrective measures as soon as possible. If issues aren’t fully resolved by the time of the next review, at a minimum, evidence should be provided to show that progress is being made.
See ISO 27701 Clause 6.15.2.2
ISO 27701 is not just a framework for organisations to adopt; it means adapting the way people understand, interface and interact with data.
At ISMS.online, we have designed our system so that you and your staff can take advantage of our easy-to-use interface for documenting your ISO journey.
We also provide video resources and access to information security professionals to help you integrate standards into your company.
Find out more by booking a hands on demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo