Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
1 of 46

ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?



Download to read offline

Due to an increase in the collection of consumer data, high-profile data breaches have become common.

Currently, there are 128 countries all over the world that have already put in place regulations to secure the protection of data and privacy.

The webinar covers:
 Data protection, a global development
 Introduction to the GDPR, ePrivacy & ISO/IEC 27701
 GDPR & ISO/IEC 27701mapping
 ePrivacy & ISO/IEC 27701 mapping

Recorded Webinar:

Find out more about ISO training and certification services




For more information about PECB:

More Related Content

You Might Also Like

ISO/IEC 27701, GDPR, and ePrivacy: How Do They Map?

  1. 1. Agenda GDPR, ePrivacy & ISO/IEC27701: How do they map?  Data protection, a global development  Your speakers  Introduction to the GDPR, ePrivacy & ISO/IEC27701  GDPR & ISO/IEC27701mapping  ePrivacy & ISO/IEC27701 mapping  Q&A Session
  3. 3. , Zen GRC, ISO Manager, ISO–Metrics, Lok path, Certifications: - Information Security Management System (ISO 27001:2013) - Cloud Security Alliance (CSA STAR) - Privacy Information Management System (ISO 27701:2019) - Certified Data Protection Officer (GDPR) - PII on Cloud (ISO 27018) - Technical Reviewer of IT certifications for DQS - Information Technology Management System (ISO 20000-1:2018) - Certified Project Management Professional (PMP) - Quality Management System (ISO 9001:2015) - ITIL Certified from EXIN - CMMC Registered Practitioner - NIST Certified by BSI - Governance, Risk & Compliance (GRC) Professional - Experienced in reviewing multiple GRC tools like: Archer, ServiceNow, Zen GRC, ISO Manager, ISO–Metrics, Lok path, MYRA - Implemented GRC solutions for several clients - Implemented Risk Management using NIST 800 Framework - Performed GDPR/ CCPA Assessment Lead Auditor of ISO 27001, ISO 20000-1, CSA STAR, ISO 27018 & ISO 27701:2019 Standards - Certified Instructor of ISO 27001, ISO 20000-1, CDPO (GDPR) & ISO 27701:2019 Standards - Performed around 800 Governance, Risk & Compliance audit for Fortune 100 Companies including Microsoft, Accenture, Oracle, SAP, Capgemini - Provided consulting services to Implement Information Security Management Systems - Performed Data Privacy Impact Assessment (DPIA) and created Data Model / Process Model to identify the impacted PII. A PECB Partner Company +001-469-258-8565 Offerings: PECB Accredited Certification: ISO 9K/ 20K/ 27K, ISO 27701 PECB Accredited Training: ISO 9K/ 20K/ 27K , CDPO Consulting: ISO Certification Preparation Incl. ISO 27701, ISO 27018 Other Information Security Framework GDPR/CCPA/GLBA/ SSPA Assessment CSA Solution Provider NIST/ FedRAMP SOC 1/2/3 (SSAE 18) PCI DSS CMMC SEI/ CMM Assessment PenTest, NOC/SOC PM Game Data Privacy Tool Neelov Kar
  4. 4. David Parish MSc CMI dip Expertise and skills:  Data Privacy and Data Security ,  Harm reduction Enterprise Risk Management ISO 31000 advocate,  Governance, Risk, Compliance,  ISO ITIL Cyber Essentials  Legal Regulatory strategy development and delivery, Expérience :  30 + International National Senior UK Détective , Organised Crime Money Laundering Intelligence  10 Years Private secutor specialising in Threat Risk and Harm reduction ,Insurance Health and Legal services.,  Top 50 UK Law firm GDPR AML ISO 270001 and BCP implementation and strategfy  NHS childrens hospital Covid security and privacy Information Governance recovery stratefies.  National Insurance Implementation counter fraud and intelligence capability  Support and DPO as a service Voluntary secutor Charities.  Director and Associate expert for bespoke Confidentiel solutions privacy and security.,  Subject Matter Expert at European Police College CEPOL, Organised Crime and Strategic Intelligence  Technical specialist  Speaker: Various forums on line or in person. Degrees & Certifications :  MSc(s), Security and risk management  CMI Management and Leadership  ISO/IEC 22001 /27701 Lead Implementer and auditor,  ISO 22301 Business Continuity Implementation  Maestricht University Data Protection Officer (DPO),  IBITQ GDPR Practitioner and Implementer.  Money Laundering / Serious and Organised Crime Multiple Qualifications.  Specialist Intelligence expert and Criminal Intelligence Analyst ( IALEIA)  PMP, PRINCE2,Six Sigma Lean thinking. Practical realistic
  5. 5. Vincent Bureau Data Protection Officer as a Service Expertise and skills  Personal data & privacy protection,  Information security & cybersecurity,  Governance, Risk, Compliance,  Laws & Treaties, North America, European Union, Caribbean, Africa, Experience  15+ Risk, Regulatory & Compliance. 25+ IT & telecom,  Europe, Canada, Africa, USA,  Expert for NRC, National Research Council Canada, Expert for IN-SEC-M, cybersecurity cluster,  Trainer: ÉTS Montreal, Réseau Action TI Québec,  Speaker: PMI, ISACA, PECB, Printemps numérique de Montréal, Semaine numérique Nantes France,  Software & telecom, public and government services, media and entertainment, education, manufacturing, banking and insurance, retail, travel and hospitality, Degrees & Certifications  MSc(s), Public Law, Risk & Project Management, Telecommunications, Marketing,  ISO/IEC 27701 Lead Implementer,  CIPP/E - Certified Information Privacy Professional Europe - IAPP,  CDPSE - Certified Data Privacy Solutions Engineer - ISACA,  OneTrust Certified Privacy Professional,  PMP, PRINCE2, MoP, Managing Benefits.
  6. 6. General Data Protection Regulation GDPR
  7. 7. ePRIVACY
  8. 8. ISO/IEC 27001 ISO/IEC 27002 ISO/IEC 27701
  11. 11. GDPR and ISO 27701 Overlap
  12. 12. ISO 27701 Mapping to GDPR
  13. 13. ISO 27701 Mapping to GDPR – Major Areas Data Protection Officer • ISO 27701: Cl. 6.3 • Appoint person responsible for developing, maintaining and monitoring privacy program. Responsibilities: be independent reporting directly to management be involved in the management of all issues be expert in data protection legislations act as contact point for supervisory authorities inform top management obligations w.r.t. the processing of PII provide advice in respect of privacy impact assessment GDPR Article 37 -39 A data protection officer must be formally identified monitoring large-scale processing of sensitive personal information. to inform and advise the controller or the processor and the employees who carry out processing of their obligations to monitor compliance with this Regulation in relation to the protection of personal data, including awareness-raising to provide advice where requested as regards the data protection impact assessment to cooperate with the supervisory authority; to act as the contact point for the supervisory authority
  14. 14. ISO 27701 Mapping to GDPR – Major Areas Privacy Impact Assessment • ISO 27701: Cl. 7.2.5 Privacy Impact Assessment (PIA) The organization should asses the need for and implement where appropriate, a privacy impact assessment whenever new processing of PII or changes to existing processing of PII is planed. • This includes: Types of PII Processed, where PII is stored, and where it can be transferred • DFD and Data Map can be helpful GDPR Article 35: Data Protection Impact Assessment (DPIA) Where The Company implements new technologies which will or could result in a high risk to the rights and freedoms of individuals, the Company has to carry out a PIA. This will contain: Systematic description of processing Risk assessment Controller shall carry out a review
  15. 15. ISO 27701 Mapping to GDPR – Major Areas Privacy by Design & Default • ISO 27701: Cl. & 7.4 • Cl Secure Development Policy PII Protection/ privacy principles (ISO 29100)/ PII Protection Checkpoint / By default minimize processing of PII • Cl. 7.4: Privacy by Design/ Default Limit collection (disabling option by default) Limit Processing (Disable disclosure, storage and access) Accuracy and quality PII Minimization De-identification/ deletion after processing Temp Files/ Retention/ Disposal/ transmission GDPR Article 25 At the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation and data minimisation The controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility FYI: Executive Order 14028 of US President, May 17 2021 - Zero Trust Architecture
  16. 16. ISO 27701 Mapping to GDPR – Major Areas Breach Notification • ISO 27701: Cl. Record should be maintained for regulatory and forensic purpose: - Description, time period, consequences, Reporter, to whom reported, steps taken to resolve, loss/ disclosure or alteration of PII - In some jurisdiction, applicable legislation and/or regulations - notify appropriate regulatory authorities GDPR Article 33 & 34 Does the company have procedures in place to enable it to report a breach to the regulator within 72 hours of becoming aware of it? The breach must be investigated and details provided to the regulator about the nature of the breach, likely consequences and mitigations being taken to address it. This investigation may require assistance from processors, so operational processes should factor this in. Controller shall provide: - Responsibilities of Controller and Processor - Contact details of DPO - DPIA
  17. 17. ISO 27701 Mapping to GDPR – Major Areas Lawful Basis • ISO 27701: Cl. 7.2.2 • The organization should determine, document and comply with the relevant lawful basis for the processing of PII for the identified purpose. Legal basis: Consent from PII Principals Performance of a contract Compliance with legal obligation Protection of vital interest of PII Principals Public interest Legitimate interest of the PII controller GDPR Article 6 Data subject has given consent Performance of a contract Processing required for legal obligation Processing required to protect the vital interest of Data Subject Processing required for public interest Processing required for legitimate interest of controller
  18. 18. ISO 27701 Mapping to GDPR – Major Areas International Transfer • ISO 27701: Cl. 7.5.2 PII Transfer The organization should specify and document the countries and international organizations to which PII can be possibly transferred GDPR Chapter V, Article 44- 48 (a) A country which ensures adequacy level of protection (b) Transfers subject to appropriate safeguards (c) If it is within the Company group, are Binding Corporate Rules in place? (d) Standard contractual clauses as approved by the European Commission Other possibilities: (a) With the consent of the data subject. (b) The transfer is necessary to carry out a contract with the data subject (c) The transfer is in the public interest (d) The transfer is necessary to establish, exercise or defend legal rights (e) The transfer is necessary to protect the vital interests of a person where the data subject is physically or legally incapable of giving consent. COMMISSION IMPLEMENTING DECISION (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council
  19. 19. ISO 27701 Mapping to GDPR – Major Areas Policies & Procedures • ISO 27701: Secure Development Policy (Privacy by Design/ Privacy by Default) Secure System Engineering Principles (Privacy by Design/ Privacy by Default) Data Retention Policy (PII) PII Compliance Policy Guidelines for PII Sharing, transfer and disclosure DPIA Procedure Consent Procedure Security Incident Response Procedure (PII breach) GDPR General Data Protection Policy Data Subject Access Rights Procedure Data Retention Policy Data Breach Escalation and Checklist Employee Privacy Policy and Notice Processing customer data policy Guidance on privacy notices
  20. 20. Personal Experience
  21. 21. Some Interesting Concept Anonymization vs Pseudonymization Data Controller vs Data Processor Data Subject Access Request (DSAR) “Don’t Sell My Information” on the website – Requirement of CCPA Backup Policy for PII Erasing Temp Files Shall not re-issue deactivated or expired user IDs Supervisory Authority of Member Countries ISO 27701/GDPR
  22. 22. What is the relationship between Privacy and Electronic Communications Regulations (PECR) and the GDPR?
  23. 23. • PECR sits alongside Data privacy legislation including the GDPR, and provides specific rules in relation to privacy and electronic communications. • Direct Marketing is invariably and consistently where companies fail to take a joined up approach in recognising that :- • Privacy Legislation and Marketing should COMPLEMENT rather than COMPETE, • You may comply with PECR but fail to comply with privacy and vice versa. What is the relationship between Privacy and Electronic Communications Regulations (PECR) and the GDPR? INTERLINKED
  24. 24. • The key difference is that the GDPR relates to the processing of personal data, • PECR relate specifically to electronic marketing and has specific rules on: marketing calls, emails, texts and faxes. cookies. • PECR comes first but you MUST adhere to the GDPR and other global Privacy requirements when processing personal data . • The rules for B2B is different to B2C and this is where the majority of the conflict and enforcement activity by regulators occurs. What is the relationship between Privacy and Electronic Communications Regulations (PECR) and the GDPR? DIFFERENCE
  25. 25. Electronic Communications What are they ( Silence) • PECR do not define ‘electronic communications’. • The rules apply in different ways using specific concepts and definitions. • The marketing rules apply to specified types of marketing messages, and some other rules apply to service providers or communications providers. • The basic concept of an electronic communication underpins the regulations, Put simply, electronic communications mean any information sent between particular parties over a phone line or internet connection. This includes phone calls, faxes, text messages, video messages, emails and internet messaging. It does not include generally available information such as the content of web pages or broadcast programming.
  26. 26. • Key requirements in relation to marketing are: • Ensuring there is a law • Lawful basis for both direct marketing and using analytical cookies; Having an appropriate opt-out; • the Unsubscribe. • Having an appropriate privacy notice. • The preferences Similarities the GDPR and the PECR
  27. 27. Comply with this and you are usually OK but.
  28. 28. All processing of personal data must: • Be carried out according to specific principles (the “HOW”) • (Art. 5.1) • Be documented (Art. 5.2) • And • Have one or more lawful grounds (the “WHY”) • (Arts.6 & 9) … the foundations of the data protection regime Lawful Processing
  29. 29. To comply with Art 5 6 and 32 GDPR you Must have this.
  30. 30. Article 6 (1 ) (a) Consent V Article 6(1) (f) Legitimate Interest June 2021 UK Regulator We have fined Papa John’s (GB) Limited £10,000 for sending nuisance texts and emails to customers. Papa John’s relied on the ‘soft opt in’ exemption for marketing consent. However, we found that customers who had placed a telephone order were not provided with a privacy notice at point of contact nor given the option to opt out. The ‘soft opt in’ exemption allows organisations to send electronic marketing messages to customers whose details have been obtained for similar services. However, you: ✅ Must give customers a clear chance to opt out – both when you first collect their details, and in every message you send. ❌Must not use the soft opt in for prospective customers or new contacts (eg from bought-in lists). ❌Must not use the soft opt in for non-commercial promotions (eg charity fundraising or political campaigning). Consent 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 clarifies that, for PECR: "‘consent' by a user or subscriber corresponds to the data subject’s consent in the GDPR (as defined in section 3(10) of the Data Protection Act 2018)." Recital 32 of the GDPR also specifically bans pre- ticked boxes – silence or inactivity does not constitute consent. Why it happens?
  31. 31. The Silence of Regulation Consent What does ‘consent’ mean? PECR requires that users or subscribers consent to cookies being placed or used on their device. There is no definition of consent given in PECR or in the ePrivacy Directive; instead, the GDPR definition of consent applies. This is in Article 4(11) of the GDPR and states: "‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." PECR Regulation 8(2) of the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 clarifies that, for PECR: "‘consent' by a user or subscriber corresponds to the data subject’s consent in the GDPR (as defined in section 3(10) of the Data Protection Act 2018)." Recital 32 of the GDPR also specifically bans pre-ticked boxes – silence or inactivity does not constitute consent.
  32. 32. Silence Again • What does ‘clear and comprehensive information’ mean? • PECR does not define what ‘clear and comprehensive information’ means. However, Article 5(3) of the ePrivacy Directive says that clear and comprehensive information should be provided ‘in accordance with’ data protection law. • This relates to the GDPR’s transparency requirements and the right to be informed. It means that when you set cookies you must provide the same kind of information to users and subscribers as you would do when processing their personal data (and, in some cases, your use of cookies will involve the processing of personal data anyway).
  33. 33. 1. The Privacy and Electronic Communications Regulations (PECR) give people specific privacy rights in relation to electronic communications. There are specific rules on: 1. marketing calls, emails, texts and faxes; 2. cookies (and similar technologies); 3. keeping communications services secure; and 4. customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings. 4. The ‘soft opt -in’ exemption provided by Regulation 22(3) PECR means that organisations can send marketing messages by text and e-mail to individuals whose details have been obtained in the course or negotiation of a sale and in respect of similar products and services. The organisation must also give the person a simple opportunity to refuse or opt out of the marketing, both when first collecting the details and in every message after that. 5. The ICO has the power under PECR to impose a monetary penalty on a data controller of up to £500,000. The Areas the Regulators Look At
  34. 34. We Now Have Three Considerations PECR  For network and service providers, the GDPR does not apply where the PECR already provide rules. In practice, this means providers need comply only with the PECR’s requirements relating to: • Security and security breaches; • Traffic data; • Location data; • Itemised billing; and • Line identification services. NIS ( a brief mention ) While PECR says you don’t have to comply with some areas of privacy. You then have to consider Some service providers, such as Internet service providers, might, however, be obliged to comply with the NIS Regulations (Network and Information Systems Regulations 2018) as well, so should check their compliance obligations carefully.
  35. 35. Incorrect Reconfirmation the Confusion goes on and on In Practice If you are not sure you meet all conditions for the soft opt- in, obtain consent before sending any marketing communications consent is always better than the soft opt-in in terms of transparency and accountability. In either case, individuals must be able to easily opt out at any time, and must be informed of that right. You must also clearly state, that their data will be used for marketing purposes before you start sending any direct marketing. Key compliance points Marketing for commercial purposes? Market by email and/or text only? Existing commercial relationship? (the person has purchased, or is in the process of purchasing, a product/service) Soft opt-in Consent The mistakes and COVID “CRM integrations with leading providers, we empower firms to leverage data to create personalised experiences. It also ensures that all data maps back to the CRM in real- time, keeping valuable source data fresh and accurate.” Cleansing or reaffirming consent. Bought in lists or scraped from Linkedin or other social media platforms. The COVID updates from companies Did you know these companies had your data in the first place ?????
  37. 37. The We Use Cookies Accept or select Preferences > What do you do? What are they • Generally there are two types of cookies 1. That makes the Web page you are visiting work . Technical Cookies. 2. The one that helps the marketing and all associated data privacy issues of concern. • It should be transparent and easily understood . Why does it matter • Smart phones are the must have item. • All the apps webpages on your phone are collecting cookies. • The cookies that are valuable are the ones you don’t know about . • The Non Technical or Analytical. • The preferences options are not in plain language and are technical. • The retention periods are often set by the software NOT the Business
  38. 38. An Example of the Requirement v the Reality ICO Guidance Website You must make users aware of the cookies being placed on their devices No description of what cookies are being placed. Your methods of providing this information, and the capability for users to refuse, are to be as user- friendly as possible. No mechanism to allow users to refuse.
  39. 39. • The information has to cover: • These requirements also apply to cookies set by any third parties whose technologies your online service incorporates – • This would include cookies, pixels and web beacons, JavaScript and any other means of storing or accessing information on the device including those from other services such as online advertising networks or social media platforms. ICO Guidance Website The cookies you intend to use. Brief description but no depth. The purposes for which you intend to use them. The description does cover this.
  40. 40. Pre GDPR Law firm web site • Currently have 9 session cookies that are applied to the homepage. • The cookies highlighted in Red are “non- technical” cookies. • The issue is, unless the cookie is an integral function that needs to be installed for the website to work, consent/transparency is required. • There are 14 stored cookies applied. • Those in red are “non-technical” cookies which require consent/affirmation • The other issue highlighted is that the cookie we apply to use our website “cookiepolicy” • RETENTION date set at 9,999 days (27 years).
  41. 41. Schrems and NOYB Privacy Advocates • Most sites 'do not comply' • To combat this, the group has created an automated system, which it says can find violations and auto-generate a complaint under GDPR. • It claims "most banners do not comply with the requirements of the GDPR". • Fines can be up to €20m (£17.5m) or 4% of a company's global revenue, whichever is higher. • Of the 500 pages in its first batch of complaints, 81% had no "reject" option on the first page, but rather hidden in a sub-page, it said. Another 73% used "deceptive colours and contrasts" to lead users into clicking "accept", and 90% provided no easy way to withdraw consent, it said. • Google fined £91m over ad-tracking cookies • Tech Tent: The end of ad tracking? • Noyb says it is first issuing draft complaints to 10,000 of the most-visited websites across Europe, along with instructions on how to change settings.
  42. 42. Website Evidence Collector The tool collects evidence of personal data processing, such as cookies, or requests to third parties. The collection parameters are configured ahead of the inspection and then collection is carried out automatically. The collected evidence, structured in a human- and machine-readable format (YAML and HTML), allows website controllers, data protection officers and end users to understand better which information is transferred and stored during a visit of a website, i.e. the consecutive loading of a number of web pages without giving consent or logging in. Website Checkers
  43. 43. Privacy v PECR How to check or assist there are some tools for web page compliance
  44. 44. My thoughts: Together Everyone Achieves More ( TEAM) In reducing The harm ESSENTIALS THE ISO PRINCIPLES • Leadership • Ownership • Understanding • Assisted implementation • Training • Information sharing • Keep It simple . • You cannot succeed by yourself.
  45. 45. THANK YOU ? David Parish Vincent Bureau Neelov Kar

Editor's Notes

  • Recital 91: The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients or clients by an individual physician, other health care professional or lawyer. In such cases, a data protection impact assessment should not be mandatory.
  • A group of undertakings, or a group of enterprises engaged in a joint economic activity, should be able to make use of approved binding corporate rules for its international transfers from the Union to organisations within the same group of undertakings, or group of enterprises engaged in a joint economic activity, provided that such corporate rules include all essential principles and enforceable rights to ensure appropriate safeguards for transfers or categories of transfers of personal data.
  • ×