Telephone: 01908 041464 | Email: sales@spedan.co.uk

Privacy and Protection of Personally Identifiable Data under GDPR within the context of ISO 27001

Monday 7th September 2020

Personally Identifiable Information and ISO 27001 and ISO 27701 

ISO 27001:2013 and it's associated guidance sets out very clear requirements on organisations that are holding Personally Identifiable Information (PII). PII is defined by the ICO very clearly (see here) and in summary states that: 

  • An individual is ‘identified’ or ‘identifiable’ if you can distinguish them from other individuals.
  • A name is perhaps the most common means of identifying someone. However whether any potential identifier actually identifies an individual depends on the context.
  • A combination of identifiers may be needed to identify an individual.
  • The GDPR provides a non-exhaustive list of identifiers, including:
    • name;
    • identification number;
    • location data; and
    • an online identifier.
  • ‘Online identifiers’ includes IP addresses and cookie identifiers which may be personal data.
  • Other factors can identify an individual.

If, by looking solely at the information you are processing, you can distinguish an individual from other individuals, that individual will be identified (or identifiable). You don’t have to know someone’s name for them to be directly identifiable, a combination of other identifiers may be sufficient to identify the individual. If an individual is directly identifiable from the information, this may constitute personal data. 

Controls in ISO 27001 

Before reviewing the control points in ISO 27001, organisations should consider the context of thier organisation and activities they carry out. Under GDPR, organisations should define whether they are Data Controllers or Data Processors. This distinction will have significant impact on the level of controls they place on data and PII. 

There are several Control points in ISO 27001 and it's associated guidance (ISO 27002) where PII is referenced: 

Standard Control Point in Statement of Applicability  Requirement
ISO 27001  7.1.1. Screening (Prior to Employment)  Verification should take into account all relevant privacy, protection of personally identifiable information and employment based legislation
ISO 27002 5.1 Management direction for Information Security  Organisations should consider developing appropriate policies for PII 
ISO 27002 12.1.4 Logging and Monitoring  This requirement notes that event logs can contain PII and that appropriate controls should be put on them 
ISO 27002 14.3 Test Data This requirements notes that Operational Data that contains PII should not be used for testing purposes, but if this is unavoidable, it should be cleaned in advance 
ISO 27001 and ISO 27002 18.1.4 Privacy and protection of personally identifiable information Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.

ISO 27001 Implementation guidance

An organisation’s data and sensitive information policy for privacy and protection of personally identifiable information should be carefully developed and implemented to ensure internal compliance with ISO 27001. This policy should be communicated to all persons involved in the processing of personally identifiable information. 

Business compliance with this policy and all relevant imposed legislation and regulations concerning the protection of the privacy of people and the protection of personally identifiable data and information requires appropriate management structures, protocols and controls. This can be best achieved by the appointment of a person or group responsible within the context of the organisation, such as a Privacy Officer, who should be able to provide guidelines to managers, users, service providers and employees on their individual responsibilities regarding personally identifiable data and sensitive information.

Furthermore, as illustrated by the guidelines set out under ISO 27001, they will be required to inform the relevant parties and individuals on the specific procedures that should be followed. The responsibility for handling personally identifiable data and information, as well as ensuring correct levels of awareness of privacy principles within the organisation, should be dealt with in accordance to the relevant legislation and regulations. In addition, the appropriate technical and organisational measures to protect personally identifiable data and information should be implemented.

Other ISO Standards

ISO/IEC 27701:2019 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines

This Standard is an extension to ISO 27001 and provides further guidance for organisations seeking further compliance with GDPR or customer-driven privacy requirements. ISO 27701, which has been abbreviated to PIMS (Privacy (or Personal) Information Management System) outlines a framework for PII Controllers and PII Processors to manage data privacy. ISO 27701 can be used by PII controllers and PII processors. It will provide an organisation a framework of documentary evidence of how it handles the processing of PII. This evidence can be used as part of contractual agreements between business partners where the processing of PII is relevant. This can also assist in relationships with other stakeholders.

ISO 29100:2020 Information technology — Security techniques — Privacy framework

This International Standard provides a high-level framework for the protection of personally identifiable information (PII) within information and communication technology (ICT) systems. A number of countries have introduced legislation and regulations (like the GDPR and DPA 2018) placing strict controls on the collection, processing and transmission of personally identifiable data and information. Depending on the respective national legislation and regulations, such controls may impose duties on those processing, collecting and disseminating personally identifiable data and information, and may also restrict the ability to transfer personally identifiable data and information to other countries or legal entities based in other countries.

This Standard is general in nature and provides an overall privacy framework for organisational, technical, and procedural aspects. This is useful for organisations seeking to define privacy safeguarding requirements related to PII by:

  • specifying a common privacy terminology
  • defining the interested parties and their roles in processing PII
  • describing privacy safeguarding requirements
  • referencing known privacy principles

provides a comprehensive and high-level framework for the protection of personally identifiable data and information within information and communication technology systems.

Need help to implement ISO 27001? 

Spedan Ltd provide a range of support packages and consultancy to support your ISO 27001 projects. Call or email for a no-obligation chat to see how we can help you suceed. 

 


Related Articles

Comparing Cyber Essentials to ISO 27001
Use 27001 to meet the Hiscox recommendations
14 controls points in the Statement of Applicability

Adam Faiers - Director

Adam has been working on Quality and Environmental management systems for most of his career in small, medium and corporate organisations. A keen advocate of the ISO approach as a platform for improvement, Adam ensures that systems are practical and useful for Managers and Staff to use.

Following a number of years working on software development projects, Adam has diversified into Information Security and Business Continuity management. Keen to formalise his industry experience, he is currently undertaking a Diploma in Business Continuity Management at Buckingham University.

Adam has a PhD from Cranfield University and now supports the MSc Environmental Management programmes through the advisory panel and visiting lectures.


We hope this article has been helpful

If you have any further questions or want to learn more about what we can do for your business, please contact us using the link or details below:

CONTACT US

Tel: 01908 255 525
Email: sales@spedan.co.uk