ISO 27701: How to ensure privacy and boost business trust

What is ISO 27701?

The protection of personal data is an increasingly recurring concern in people's daily lives. After all, more parts of everyday life are becoming digital, generating recurring information about our habits, preferences, and trends. In this scenario, providing a digital service with a high degree of trust and adequate privacy controls is a very relevant market differential.

One of the ways to attest to this degree of maturity of privacy programs is the certification of ISO 27701.

ISO, acronym in English for “International Organization for Standardization”, is an entity that defines standards and norms with common requirements and processes aimed at continuously improving the quality and safety of various products and services. Thus, ISO is a global reference, which facilitates transnational exchanges, demonstrating the commitment of certified organizations to the quality of services and allowing the optimization of processes and increased safety.

The ISO 27701 Standard, as an extension¹ of ISO 27001 (Information Security Management System), was published in the year 2019. This privacy extension offers a Framework - that is, a set of specific requirements and controls - for organizations to carry out privacy management, with the capacity to identify, manage, and protect personal data. As a consequence, it can be stated that an ISO certified organization has the structure to meet the legal requirements of the General Personal Data Protection Law (Law No. 13,709, “LGPD”) in Brazil and the GDPR (General Data Protection Regulation) in the European Union.

What are the key requirements and controls of ISO 27701?

All ISO standards have the same structure, divided between requirements and controls. It is possible to say that the requirements indicate the obligations and the controls indicate the measures and practices for the requirements to be fulfilled. Complying with both the requirements and the controls applicable to the organization (even if adapted to the context) is mandatory to achieve certification, since the items are complementary.

As an extension, the requirements of ISO 27701 replicate several of the requirements of ISO 27001, adapting them to the protection of personal data. For example, it is necessary for the organization to publish and maintain a privacy management program that complies with applicable laws (such as the LGPD, in the Brazilian context) and that identifies (i) the parties interested in the program (such as the holders of personal data); (ii) the objectives; (iii) the related policies; (iv) the responsibilities of the people involved, such as the Personal Data Controller; (v) continuous improvements, among other topics.

The controls, set out in the annexes to the Standard, are separated according to the organization's position as a treatment agent. That is, there are controls for operators and controls for personal data controllers².

Both control groups address the following topics:

• Conditions for the collection and processing of personal data: identification of the purpose and legal bases for the treatment; definition of rules for obtaining and recording consent; assessment of the impact of the activities; third parties involved in the activities, among others;
• Obligations for personal data holders: established process to receive, screen, and fulfill requests from individuals regarding their data;
• Privacy by Design and Privacy by Default: processes to limit personal data processing activities to the minimum necessary to achieve their purpose, including deleting personal data at the end of the processing activities;
• Sharing, transfer, and disclosure of personal data: rules for dealing with the relationship with other data controllers, operators, and/or sub-processors or when it is necessary to send personal data to other countries.

How to get certified?

Certification to ISO 27701 involves a structured process and requires a commitment from the organization to be certified. While the steps may vary depending on the business, the centrality of personal data, and the size and complexity of the organization's activities, the path to certification generally follows the same phases.

The first step is awareness: ensuring that all employees and senior leadership know the value of data protection for the organization and the benefits brought by certification. Thus, it is important to have a plan to carry out training actions (such as enabling employees to report an incident or request the exercise of rights as owners); to distribute pills on the subject; and, basically, to have the privacy area present to sensitize employees.

The next step is also one of the basic controls of the Standard: identifying the organization's operational activities that process personal data. This identification, popularly known as mapping or Data mapping, allows recording the purpose, legal basis, types of data used, groups of affected owners, who are the third parties involved and the areas or sectors responsible for each group of activities.

Based on this mapping, an analysis must be performed to identify gaps between company practices and the requirements of ISO 27701 and other applicable laws (such as the LGPD, in the Brazilian context). This analysis provides a diagnosis to identify opportunities for improvement and areas that need adjustments for risk mitigation and compliance with the Standard.

When implementing the improvements, it is interesting to rely on the privacy management policy, mentioned above. This policy acts as a guide for the protection of personal data, giving guidelines on how data should be processed, how the rights of the holders are met, what security measures should be adopted and what are the procedures for reporting incidents.

The gaps identified in the analysis guide the controls to be implemented to meet the requirements of ISO 27701. These controls may include access management, data encryption, regular backups, security testing, incident management, and others. It is interesting to implement these controls following a registered action plan, since keeping documentation of the activities carried out is a way for the organization to be responsible for data protection and allows accountability.

After the measures to adapt the organization's practices with ISO have been implemented, an internal audit must be conducted before auditing the certification authority. This internal audit is a second moment of Gap analysis, also allowing us to verify that the management system complies with the Standard and other opportunities for improvement. If the organization does not have an area or sector dedicated to carrying out internal audits, it is possible to hire an independent auditor. It is worth saying that this stage is a mandatory requirement for certification.

Once the controls have been applied, the audit has been carried out, and a new action plan has been established and executed, the organization can seek certification from an independent certification authority. This body will conduct an external audit to confirm that the privacy management system complies with the requirements of ISO 27701.

Clicksign is the only Brazilian company in the electronic signature market to be certified by ISO 27701

Trust is one of values by Clicksign, a pioneering company in the electronic signature market in Brazil. Respecting and investing in the privacy and protection of our users' personal data is a priority, which became the ISO 27701 certification journey.

Based on a rigorous analysis of internal processes and the implementation of all the controls required by the Standard and the LGPD, Clicksign mapped its personal data processing activities, evaluated and addressed the privacy risks involved in the business.

The certification process also generated a gain in the organization's culture, since, in addition to the periodic training that Clicksigners receive, several awareness-raising activities are also carried out.

The certification demonstrates the company's commitment to the privacy of our users and has optimized internal controls, reducing the risks of its activities and ensuring a high level of trust.

Conclusion

Deciding on certification requires the joint work of various areas of the company, however, obtaining ISO 27701 certification is an investment, especially for technology companies that value security, data protection and the trust of their users.

After all, certification demonstrates the organization's undeniable commitment to user privacy, since it imposes a management structure, with risk analysis, senior leadership involvement, periodic training, and continuous improvements.

‍

—————————————————————

¹ In the context of ISO Standards, an extension means specifications or adaptations of rules in a specific context. In the mentioned case, ISO 27701 for privacy is connected to ISO 27001 for information security.

² The Standard has no particular definition for controller and operator, based on the legal concepts of the LGPD. According to the legislation, the controller is the one who determines the purposes and forms of the processing of personal data while the operator carries out the processing of personal data on behalf of the controller.