Author: IAPP IAPP News

The Saudi Data and Artificial Intelligence Authority postponed implementation of the Personal Data Protection Law until March 17, 2023, the Saudi Gazette reports. In a press release shared on Twitter, the SDAIA said the postponement follows stakeholder views and responses to a public consultation and was made “in order to achieve the ultimate goal of such a law.� The SDAIA encouraged stakeholders to participate in a second public consultation process to “enhance� the law, which had been set to take effect March 23.
Full Story

The Legal Aid Society filed a class-action lawsuit alleging the New York City Police Department maintains an illegal DNA database, The New York Times reports. It alleged NYPD detectives collected DNA samples without both suspects’ and non-suspects’ consent by offering beverages, cigarettes, gum or food to a person being questioned in connection with a crime. The detectives, allegedly, would then collect the item for DNA extraction after they left.
Full Story

• Join the IAPP March 29 as Paul Hastings Partner Aaron Charfoos, CIPP/US, and CompliancePoint Privacy Services Director Matthew Dumiak, CIPP/E, CIPP/US, discuss existing and emerging data retention obligations, risks of failing to operationalize retention programs, and creating a collaborative security and privacy process. The discussion will be moderated by Exterro’s Director of Strategic Partnerships Robert Fowler, CIPP/US.
• On March 30, BigID Product Management Director Tomer Elias and PwC Information Governance and Privacy Director Jake Meek, CIPP/US, CIPM, will share insights on how to build a privacy impact assessment framework that establishes accountability necessary to manage privacy risk, leading practices for creating PIAs in various environments, identifying and remediating high-risk data issues, and more.
• On March 31, DataGrail Senior Manager, Corporate Marketing and state Sen. DeAndrea Salvador, D-N.C., and privacy advocate Alicia diVittorio will explore the state of the California Consumer Privacy Act, how much the average organization is paying for their privacy programs, what to expect when the California Privacy Rights Act goes into effect next year and more.

• Todd McKinnon, CEO of two-factor authentication company Okta, confirmed a data breach that occurred in January, CNET reports. According to the company, the breach affected 2.5% of the 15,000 businesses that use Okta’s services, and customers were not required to take any corrective action.
• Creative Services, a Massachusetts background check company, is being sued in four parallel data breach lawsuits, InfoSecurity Magazine reports. The lawsuits alleged names, birth dates, financial accounts, Social Security numbers and driver’s license information of 164,673 clients were copied by an unauthorized user between 2018 and 2021.

Norway's data protection authority, Datatilsynet, published guidance for employers using video surveillance on employees in the workplace. The regulator stressed that requirements for employee monitoring under the EU General Data Protection Regulation and the Working Environment Act need to be met before cameras are installed and run. The guidance outlines purpose limitation as well as standards for disclosing, storing and securing recordings.
Full Story

U.S. Sens. Ron Wyden, D-Ore., and Steve Daines, R-Mont., proposed the Government Surveillance Transparency Act, Nextgov reports. The legislation would require law enforcement at the federal and state levels to notify individuals being surveilled and limit how long surveillance material could be sealed. The bill includes digital communications, phone calls and wiretaps. Co-sponsor Sen. Mike Lee, R-Utah, said the bill “strikes an appropriate balance between protecting criminal investigations and notifying individuals when their private electronic communications are surveilled by the government.� 
Full Story

Several Big Tech companies, including Apple, Alphabet, Google and Microsoft, claim they are progressing toward eliminating the need for passwords, The Wall Street Journal reports. The group is called the Fast Identity Online Alliance and is composed of 250 members. Users would log into online accounts by using unlock mechanisms on their smartphone or computer. Users would connect a public “key� contained on the account service provider’s server, to a private one on their device, instead of sending a password over a network.
Full Story

The future of the user-tracking landscape for advertising technology companies was supposed to be cleared up this year between more experience with Apple's App Tracking Transparency framework and preparations for Google's planned third-party cookie phaseout. The forecast for such coherence in 2022 hasn't come to fruition due in part to some privacy shifts on Google's part.

The company dealt the adtech community a couple curveballs in a matter of weeks at the beginning of 2022. First came the January announcement that Google was abandoning its cookie replacement, Federated Learning of Cohorts, and moving forward with a new alternative approach called "Topics," ahead of the 2023 cookie cutoff. That change set the stage for an early-February announcement with details on Google's plan to fully end cross-application tracking on Android devices by 2024.

Working to a company's advantage on both these fronts are grace periods and the ability to provide feedback — for better or worse — on everything Google is doing. The downsides continue to be uncertainty as to whether these moves will stick and which companies get lost in the shuffle.

"The problem is, there are going to be a lot of business left behind, and the lack of clarity means more regulatory risk and a high price tag for regulatory compliance, which is going to hurt many small and medium-sized businesses that don’t have the margins to account for the constant zigzag of developments," Kelley Drye & Warren Partner Alysa Hutnik, CIPP/US, said.

Introducing 'Topics'

There were signs FLoC was hitting snags when Google announced in June 2021 that its plans for a 2022 cookie phaseout was being pushed out a year. The company noted it had "become clear that more time is needed across the ecosystem to get this right." What was missing at that point was what the exact hang-ups were with FLoC, a machine learning-powered concept that grouped users based on their common browsing behavior.

"We heard loud and clear from the market that (FLoC's approach) still made it possible to re-identify users and the system would be really difficult for users to understand in the first place," Google Senior Manager of Government Affairs and Public Policy Ari Levenfeld said, noting Topics is designed for the same ad-use cases as FLoC.

The actual concept for Topics follows closely with its name as users are assigned to topic categories via an algorithm built into a given device that reads the contents of a webpage. Users' site histories generate a weekly report of a handful of "top topics," which users can view, remove or opt out of. With Google's privacy measures and additional revolving "noise" attached, a user's browser shares a limited set of top topics with advertisers. Those topics can then be used to deliver ads.

Levenfeld made clear limitations around the number of topics being produced, proposed to be a few hundred overall for users to be filed under, would reduce user profiling and the possibility of bundling users into sensitive categories.

"The browser will be assigning categories to users, but there is no personal information being used beyond that that's being made available," Levenfeld said. "It's one of the challenges the Chrome team really wrestled with over the last year. The solution to address all that is to keep all the computation on a user's device so that nobody gets that information, including Google."

Another area of friction Google received feedback on was the presentation and accessibility of user controls. Levenfeld said concerns were raised that mechanisms weren't "fleshed out enough." With so much being made about clear user opt-out capabilities with cookie banners, especially in the EU, it was important for Google to up the ante with simplified mechanisms.

"They need to be intelligible in order to really matter to users," Levenfeld said. "The idea is to make it very clear to the user what is happening and make their choices immediately accessible."

A developer trial of Topics and its user controls will be rolled out in Chrome sometime this spring, according to Levenfeld.

Expecting the unexpected

Google's acknowledgement that a cookie alternative needed more thought and subsequent replacement wasn't solely a company decision. As Levenfeld alluded, perspective from industry players on the lack of workability FLoC presented was a driving force behind the shift to Topics.

"The digital advertising industry is at a critical juncture, and collaboration between stakeholders will result in the best outcomes for consumers and businesses," Network Advertising Initiative Vice President of Public Policy David LeDuc said. "Google’s announcement that it will shift from FLoC to Topics represents a continued effort to support a range of viable, consumer-first technologies to enable data-driven advertising."

From a preparation standpoint, its unclear how far down the road companies got with plans to adapt to a FLoC-based ecosystem. Some companies didn't wait for Google's solution and opted for their own cookie alternatives, some with privacy-preserving techniques and others that continue similar user-tracking tactics the industry has become accustomed to.

"I expect we will continue to see an evolution of options that will have ripple effects for everyone in the industry, which underscores the difficulty in planning a forward-leaning digital advertising strategy," Hutnik said. "Brands, publishers, and everyone in-between are all placing bets on what the future of digital advertising looks like and how it is shaped by privacy and competition law changes, as well as business innovations and disruptors."

Levenfeld said Google never considered dropping cookies without an alternative. That line of thinking was related to the potential proliferation of user-tracking approaches that may not meet the privacy standard Google envisions across the web. It's unclear to this point whether the non-Google solutions are the start of an ill-advised wave or simply a case-by-case fix until the next advertising space's next user-tracking conundrum.

"I think that companies of all sizes now should be evaluating the various arrows that exist in the expanding quiver of post-cookie ad practices," Greenberg Traurig Shareholder Darren Abernethy, CIPP/A, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP, PLS, said. "Each company’s data, environments and goals are different, and so require a tailored legal approach. Right now there is no one-size-fits-all panacea, but innovation is happening."

Sandbox for Android: A prelude to Google's own ATT?

Potentially more impactful than the cookie deprecation is Google's move to apply Privacy Sandbox to Android devices. While the announcement seemed sudden, the conversation around cookies and some subtle transparency initiatives months prior ultimately laid the groundwork for Google to commence the Android shift.

The first bit of foreshadowing came in May 2021 when the Google Play store rolled out a safety section that divulged how app developers collect, use and store user data. The next shoe to drop was increased ad-tracking protections, a presumed response to Apple's ATT rollout.

"The Sandbox principles are the same on Android as they are on Chrome," Levenfeld said. "There are additional technologies that we'll need to build specific to Android that will limit companies' abilities to track users covertly and share information with third parties. Building that technology is going to really reduce the fingerprinting."

Levenfeld said it would've been easy to follow Apple's lead on curtailing cross-app tracking, but Google's approach contains important differences. Sandbox on Android will involve focuses on innovation and collaboration that Apple's ATT allegedly does not carry while the timeline for adoption seeks to support members of the ecosystem.

Digital Content Next CEO Jason Kint isn't so sure Google's meticulous approach will be an improvement over ATT.

"Apple’s ATT allows users a simple choice not to be tracked across different companies’ apps using a clear definition for tracking and a persistent opt-out which Google has fought for many years," Kint said. "Although Facebook did a good job trying to confuse everyone on this, Apple itself follows the same rules as all other apps. If you believe Google will also follow Apple’s lead and limit its own ability to track users across the app ecosystem despite having the dominant browser and operating system then I have an NFT in the Metaverse to sell you."

Google's commitment to collaboration on the Android initiative might be a double-edged sword. On one hand, engaging relevant stakeholders will help Google arrive at a path that will address all concerns and ensure Sandbox will include solutions for all adtech players. These consultations could also lead to a watered down product that meets companies where they are at rather than meeting halfway on a balance between user privacy and maintaining business models.

NAI President and CEO Leigh Freund lauded the concept of collaboration across a "rich and diverse digital marketplace.

"New technologies and approaches must embrace and enhance competition, not diminish it," Freund said in a public statement. "Consumers and the ad industry will benefit from solutions that address various platforms, rather than simply having siloed conversations about specific platforms or limiting the discussion to 'third-party' data. All companies who collect or process consumer data, regardless of their position in the marketplace, need to be responsible stewards of that data."

Hutnik is also a proponent of this collaborative approach, opining that it was inevitable and necessary given that any substantial change would need to consider a range of groups, including marketing, product, infosecurity and legal teams within an affected company.

"There is clearly a lot of investment and thought capital devoted right now to new ways to perform effective advertising and measurement that are more privacy and security conscious," Hutnik said. "Some options include less or no personal data, but even the options that do involve personal data are being considered in the context of much greater data security, data minimization, and steps to account for a clean supply chain."

Photo by Firmbee.com on Unsplash

Jamaica’s Data Protection Act, passed in 2020, established the Office of the Information Commissioner to enforce data privacy rights outlined in the legislation. Appointed Dec. 1, 2021 to give strategic direction to the OIC, Information Commissioner Celia Barclay is in the process of building the office from the ground up.

“We are literally starting from scratch as all we have is a legislation which creates an office and prescribes its mandate. I have the responsibility of building out every aspect of that office," Barclay, the first and only appointment within the OIC thus far, said.

Barclay, who has authority over establishing the office's structure and determining its operations, said, “the best part of it is that you have a blank slate to create what you believe will best serve the purpose. While there are roadmaps that can be followed, there is some discretion to follow them or chart a new course.�

[caption id="attachment_474972" align="alignright" width="225"] Jamaica's Information Commissioner Celia Barclay[/caption]

Jamaica’s Data Protection Act sets requirements around all aspects of the processing of personal data including its collection, storage, and use and applies to individuals or entities that collect data in or process personal data through Jamaica. Under the Act, the OIC is responsible for monitoring compliance and enforcement, providing information to the public, releasing guidelines, and more.

Since her appointment three months ago, Barclay — who has more than 14 years of experience practicing law in the private and public sectors and 10 years' experience in management and administration — has embarked on the process of determining the ideal structure for the office, recruiting staff, engaging in public awareness activities around the Data Protection Act, and establishing relationships with international bodies that may support the OIC’s work.

When the office is built out, she envisions a full staff of approximately 60 people utilizing “an almost fully automated system with digitized information to carry out all the required functions, including registration of data controllers, review of data privacy impact assessments, investigation of complaints, tracking the prosecution of breaches, and the provision of advice and guidance as necessary to the government and different sector groups, as well as disseminating information to the general public.�

Barclay’s 2021 appointment date commenced a two-year transitional period which will run to Dec. 1, 2023 for data controllers to put themselves in a position of compliance with the DPA.

“In the meantime, and in addition to building out the Office of the Information Commission, we have been using public awareness activities to also garner information about the issues and concerns which may be particular to specific interest groups,� she said. “This will later inform our consultations for the development of guidelines for different sectors/industries.�

While the Act passed in 2020, the supporting regulations that Barclay said will “give full force to the legislation� are still pending. She said the regulations — which will give further directions on how to best go about meeting the data protection standards and other requirements within the legislation — are anticipated to be promulgated within the next six months.

Conversations with regional colleagues in data protection, and the broader community through the Common Thread Network, are also underway. Barclay said discussions have begun “regarding support we can give each other with the sharing of information and/or approaches to common issues� and the possibility of agreeing to minimum standards “to address any differences countries may have in their legislative requirements which would impact their ability to properly and efficiently deal with each other."

Barclay noted the OIC could have discretion to prosecute breaches prior to the expiration of the transitional period, subject to the relevant sections of the DPA being brought into effect and if the circumstances deem it necessary. Enforcement, she said, will include monitoring and investigating data controllers’ data processing practices, notifying controllers of necessary changes required to ensure compliance, and “where necessary, the prosecution and imposition of fines and penalties to controllers who fail to comply.�

With strong support for the OIC, high expectations for its work to come, and a heightened interest in data privacy and the rights and obligations imposed by the DPA, Barclay said every day presents an opportunity to both learn and impart knowledge.

“We’ve had persons contacting us to ask, ‘Does this affect me? What are the implications?’ and of course, you have the larger organizations such as membership associations, major corporations, various sector representatives, and other groups reaching out to say, ‘We heard about this. What does it really mean? What is it that we need to do and where can we get help?’ So that is of course good,� she said. “I have really been welcoming those queries and encouraging persons to take the next steps to find out more.�

Despite the interest, Barclay said data privacy and data protection is still “relatively understated in Jamaica.� She encourages citizens to educate themselves and organizations and those working in the data space to implement the necessary measures to become compliant, adding “two years pass fast, and there’s a lot you need to do, so get the ball rolling now.�

She’s been working to broaden public awareness through participation in public discussions. In celebration of Data Protection Day this past January — Jamaica’s first opportunity to participate with its own legislation passed — Barclay participated in several activities initiated by private sector entities geared towards informing the public. She also published an article in the countries' two newspapers of widest circulation highlighting the rights of data subjects and advising on what they can do to protect themselves as well as the obligations of data controllers and steps they should take during the two-year transitional period. The OIC has additional public awareness events planned into the summer.

“Jamaican citizens should know that they have a constitutional right to the privacy of their personal data and the Data Protection Act entitles them to determine whether and how their personal data is processed,� Barclay said. “Public bodies, corporate entities and other persons who receive and process data subjects' personal data have a duty to do so within certain limits and adhering to certain standards of data protection. Once the Act is in full effect and the OIC becomes fully operational, persons who believe their data privacy rights were or are being contravened, will be able to report it to the Information Commissioner and have the matter investigated and resolved, including where applicable, obtaining redress."

Barclay said the tasks of building out a regulatory office and implementing a new legislation are challenging but she is tackling them with the same excitement that drew her to the role as information commissioner.

“The data protection field is still relatively new, but rapidly growing and it’s importance and applicability to individuals, businesses and countries is global,� she said. “The potential for development in the area is unlimited and I like the idea of being able to contribute to that.�

Photo by Yves Alarie on Unsplash

 

What if there was a formula describing the best methods, techniques and guidelines for privacy? In the face of rapid evolution of information technology and regulations for privacy and data protection, working along the lines of clearly defined controls, concepts and principles is a necessity to tackle the complexity of this constant change.

A pathway to best privacy practices

In the domain of information and communication technology, the International Organization for Standardization provides standards with the International Electrotechnical Commission in their Joint Technical Committee 1. Consequently, most ISO and IEC standards in the field of security and privacy are done within JTC 1. The importance of the vast variety of ISO/IEC standards, specifications and reports that pursue the aim to document “the best way of doing something� cannot be overestimated in their global importance.

ISO is an international organization with national standards bodies from 124 countries contributing as full members, making it a unique nation states-oriented standardization body with global reach. IEC unites a similar number of countries. Currently, 100 countries collaborate in JTC 1. This setup is significantly different to other standard setting bodies, such as industry consortia like the World Wide Web Consortium, organizations of professionals like the Institute of Electrical and Electronics Engineers or government bodies like the National Institute of Standards and Technology.

ISO and IEC are best known their international standards, defined as providing “rules, guidelines or characteristics for activities or for their results, aimed at achieving the optimum degree of order in a given context.� This can include product standards, test methods, codes of practice, guideline standards or management systems standards.

Apart from standards, ISO and IEC publish a variety of other deliverables. Technical specifications are published for immediate use while still subject to feedback, resulting in eventual standardization. Technical reports summarize information about the “state of the art� of a specific issue or theme.

Why are ISO/IEC standards important?

While there are more than 24,000 published ISO, IEC and ISO/IEC standards, certification or accreditation is only available for a limited few. If it is possible, there are many reasons for pursuing a certification according to such standards, performed by external certification bodies. Certification results can serve as a seal of approval from a third party and demonstrate accountability. Organizations might be contractually obliged to maintain certifications. Certifications can also lead to a competitive advantage, demonstrating commitment to minimizing risk exposure in an internationally recognized manner. Also, they are a good way to show customers and key stakeholders that the protection of personal information is taken seriously.

Even when not certified, the implementation of standards can strengthen internal good governance and practices. Their use can not only initiate necessary change processes but also make effective security and privacy management obvious to the board. Thus, even without aiming to obtain a certification, taking a close look at how ISO/IEC formalizes processes around information security and privacy can be considered crucial for keeping up with best practices and state of the art of security and privacy measures.

Privacy-related work within ISO/IEC

In the field of IT, JTC 1 works with its more than 20 subcommittees to develop, maintain, promote and facilitate ICT standards for business and consumer applications.

Subcommittee 27 covers the field for information security, cybersecurity and privacy protection. Two hundred and ten standards have already been published under the responsibility of ISO/IEC JTC 1/SC 27. Eighty-two standards are currently in development. The latest work of SC 27 includes the security and privacy requirements of the internet of things, big data security, trustworthiness and applications involving privacy technology.

The primary source for standards that define state of the art privacy practices and privacy by design is ISO/IEC JTC 1/SC 27/WG 5, focusing on “identity management and privacy technologies.� Its work includes a privacy framework, a privacy reference architecture, privacy infrastructures, a privacy impact assessment, specific privacy-enhancing technologies and privacy engineering.

The basis for ISO/IEC privacy standards

Which privacy-related standards of ISO and ISO/IEC can support an organization or specific functions within a company best? There is a lot to choose from. Depending on the sector, product, role and task at hand, the approach to structure and analyzing which standards are most appropriate can vary.

The common denominator of ISO and IEC’s work on privacy in general is the privacy framework ISO/IEC 29100:2011. Originally published in 2011, it was last reviewed and updated in 2018.

The ISO/IEC 29100 Privacy Framework defines a basic privacy terminology, defines roles of different organizations with respect to privacy, describes privacy safeguarding considerations and contains a list of the following 11 privacy principles:

1. Consent and choice.
2. Purpose legitimacy and specification.
3. Collection limitation.
4. Data minimization.
5. Use, retention and disclosure limitation.
6. Accuracy and quality.
7. Openness, transparency and notice.
8. Individual participation and access.
9. Accountability.
10. Information security.
11. Privacy compliance.

For all those principles, the Privacy Framework provides further details how to adhere to them. In comparison to privacy principles formulated in the U.S. Fair Information Privacy Practices and the EU General Data Protection Regulation, the 29100 Privacy Framework is based on an international agreement. As such, it is comparable to the Organisation for Economic Co-operation and Development Privacy Protection Guidelines, which also reflect the consensus of the international community regarding personal data, while encompassing privacy in ICT systems.

The 29100 Privacy Framework is publicly available free of charge and is the basis for all other ISO/IEC privacy-related standards. It is accompanied by the Privacy Reference List SD 2, which provides an overview of privacy and data protection laws and authorities around the globe.

An orientation in the landscape of ISO/IEC privacy standards

From a privacy management perspective, the core of privacy standards built on the basis of the ISO/IEC 29100:2011 Privacy Framework is ISO/IEC 27701:2019. ISO/IEC 27701:2019 is the most crucial standard for implementing a comprehensive privacy information management system and will be covered in more detail below.

A large variety of more detailed standards help fulfill the best practices of ISO/IEC 27701:2019. They can also be used independently. To help assess which standards are most useful under given circumstances, ISO/IEC privacy standards can be grouped in a variety of ways.  In a perspective based on ISO/IEC 29100, the publications and projects of WG 5 and SC 27 can, for example, be categorized into the following principles and related management issues:

1. First, several standards provide additional guidance in support of the requirements of a PIMS.

For example, ISO/IEC TR 27550:2019 is a technical report on privacy engineering for system life cycle processes. It provides an overview of the current state of the art of privacy engineering, explores how to integrate various management processes, and elaborates on objectives, controls and risk models.

Another relevant guidance for anyone involved in implementing privacy by design considerations into projects is ISO/IEC 29134:2017. These guidelines describe the process, structure and content of a PIA.

2. A second group of standards define specific controls and expand on technical and organizational requirements.

For example, ISO/IEC 29184:2020, “Information technology - Online privacy notices and consent,� provides details on the implementation of the privacy principles of “consent and choice� and “openness, transparency and notice.� It lays the foundation for presenting clear, easily understood information about the processing of personal data, and specifies controls to obtain consent in a fair, demonstrable, transparent, unambiguous and revocable manner.

Other standards cover authentication, access management, user preferences, deletion, identity management or deidentification.

3. Lastly, additional standards focus on specific sectors.

For example, ISO/IEC 27018:2019 establishes sets of controls to protect personal information in the context of public clouds acting as processors. Other areas, like IoT, smart cities, big data and financial technology services, are also covered by dedicated standards.

Notably, ISO/IEC 27701 for implementing a Privacy Information Management System is a crucial management standard. An example for a widely applicable privacy standard that can be operationalized independently is the Guidelines for privacy impact assessments in ISO/IEC 29134:2017. Both are explained below in further detail.

A Privacy Information Management System according to ISO/IEC 27701

The most prominent standard of ISO/IEC in privacy is “ISO/IEC 27701, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management — Requirements and guidelines.� This standard provides distinctive guidance for establishing, implementing, maintaining and continually improving a privacy information management system for controllers and processors of personal data.

It was developed as a response to the growing need for a global data privacy framework with the goal to support compliance with global privacy standards. Before its publication in August 2019, it was developed under the name of ISO/IEC 27552 but was renamed to document its close relation to 27001 and 27002.

ISO/IEC 27701 is meant as an extension to some of the most popular standards in ISO history: ISO/IEC 27001 and ISO/IEC 27002. Belonging to the vast ISO/IEC 27000 family, those two fundamental standards are the basis for establishing an information security management system. They will, by the way, be updated during 2022.

To get a PIMS certified based on ISO/IEC 27701, the preceding or parallel implementation of an effective information security management system according to ISO/IEC 27001 and ISO/IEC 27002 can be useful. In other words, an existing framework for information security management can be complemented by a privacy framework for managing personal data. This leads to an integration and alignment of security and privacy controls.  

“ISO/IEC 27701 helps organizations establish their PIMS based on global best practices with focus on measurement, monitoring and continuous improvement, while using risk-based approach which in the privacy world is vital, given constantly changing privacy threat landscape triggered by unprecedented innovation in digital technologies� said Srinivas Poosarla, CIPP/A, CIPP/E, CIPP/US, CIPM, CIPT, FIP, Global CPO of Infosys, who was not only a co-editor of the standard but also helped Infosys become one of the first organizations in the world to accomplish accredited  ISO/IEC 27701 certification. He added, “the mandatory periodic audits are a key differentiator for ISO/IEC 27701 when compared with other models and frameworks, since it helps organizations sustain the focus, rather than treating privacy compliance as a one-time initiative.�  

Although the standard is jurisdiction agnostic, it may help organizations meet regulatory requirements across jurisdictions. In their ISO/IEC 27701 audits, organizations may need to declare applicable laws and regulations. In this context, the privacy controls of the standard can get mapped to the legal requirements of specific laws and regulations and the proper operational controls implemented.

The open-sourced Data Protection Mapping Project aims to help with understanding the relationship between ISO/IEC 27701 and various data protection regulations. Various mappings reconcile universal data protection controls outlined by ISO/IEC 27701 with global laws and regulations. One example could be to find out that clause 7.5.1 of ISO/IEC 27701 (identifying the basis for PII transfer between jurisdictions) relates to GDPR Article 15.2 or 1798.110 b of the California Consumer Privacy Act.

Guidelines for PIAs according to ISO/IEC 29134:2017

In June 2017, ISO issued ISO/IEC 29134:2017 as an international standard on PIAs. The structure this standard proposes for PIAs is similar to one of its predecessors, ISO 22307:2008, which was spearheading PIAs in the financial sector.

According to the standard, it is crucial the assessment begins in the planning stage in the information system life cycle to ensure privacy by design. Before performing a PIA, a preliminary analysis is done to determine whether a PIA is necessary. If it is, the PIA accompanies the product development until deployment and beyond. It requires six elements: a plan, an assessment, a report, competent expertise, a degree of independence, and public aspects and their use in the decision-making process. The heart of the process is the definition of privacy requirements in the scope of the PIA, the risk assessment and risk response plan with the goal to reduce or avoid risks.

ISO/IEC 29134:2017 is a blueprint with highly practical relevance. Since data protection impact assessments are required by the GDPR for data processing likely to result in a high risk to individuals, and U.S. agencies are required to perform PIAs since 2002, performing a necessary PIA is becoming general best practice. Conducting a PIA early on can save costs in comparison to only implementing privacy and security measures later in the process or not at all. Also, PIAs can be used to create trust between stakeholders since viewpoints from different teams will be taken into consideration without bias.

Recent developments in the development of ISO and ISO/IEC privacy standards

The scale and complexity of the work done by ISO and IEC on privacy has increased tremendously over the last 10 to 15 years. The publicly available “Roadmaps� of ISO/IEC JTC 1/SC 27/WG 5 — the detailed picture of all existing standards, projects, work items and activities, as well as possible fields of future work of WG 5 — show the growing number of standards over time, mirroring the general expansion of privacy law and technological advances relevant for the field.

Most recently established and ongoing projects are yet again promising in solving outstanding challenges. Related to ISO/IEC TR 27550:2019 on privacy engineering (mentioned above), WG 5 is currently working on ISO/IEC 27561, a privacy operationalization model and method for engineering, known as POMME. This technical specification, initiated May 2021, is intended for engineers and other practitioners, developing systems controlling or processing personal information. It aims at setting a standard for operationalizing privacy principles into sets of controls and functional capabilities.

But not just the work of WG 5 should be watched closely. Other working groups in ISO/IEC JTC 1/SC 27 are also very active. WG 2, Cryptography and Security Mechanisms, is working on a variety of standards in the field of privacy-enhancing technologies, including secure multiparty computation and homomorphic encryption. The standardization of new privacy-protecting technologies is an important factor to consider them as state of the art that products or services must take into account.

Standards will keep evolving as the world continues to change and technological advances as well as privacy regulations are in constant flux. Picking the right standard that works for your organization is critical. To support you in this mission, this article pointed out the variety of privacy standards provided by ISO and IEC as a follow-up to exploring the NIST Privacy Framework. The third part in the series will cover relevant standards by further organizations such as W3C and IEEE.