In August 2019, ISO has published ISO/IEC 27701 for privacy information management as an extension to ISO/IEC 27001 and ISO/IEC 27002. This can be interpreted as ISO’s attempt to gather information security management system (ISMS) and privacy information management system (PIMS) requirements under one umbrella.
Almost the same trend is apparent in the NIST context, especially from NIST SP 800-53 revision 4 and currently on revision 5(Draft). Both describe security and privacy controls for information systems and organizations. Unlike revision 3 which was only about security controls.
Currently it is GDPR, which is undoubtedly one of the most influential privacy regulation. Therefore, a logical question that might be asked is that would it be possible to implement ISO/IEC 27701 or NIST SP 800-53 and ensure compliance with GDPR or in other words, Are these three frameworks actually consistent with each other?
In this post, I am going to shed light on the fact that despite some obvious overlaps/correlations between these three ‘sets’ of privacy requirements, there are still some underlying contrasts, which hinders answering ‘YES’ to the question. Here are at just 4 of them:
1. Personally Identifiable Information (PII) vs. Personal data
While the main purpose of both NIST and ISO contexts is to protect Personally Identifiable Information (PII), it is ‘personal data’, which is the focus of GDPR.
As the definitions suggest, personal data covers a broader range of information than PII. Information that can neither identity nor be linked to an individual is not PII. However it could be personal data simply because it ‘relates’ to an individual, e.g., device IDs and IP addresses.
2. Sensitive PII vs. Special categories of personal data
There is also a meaningful contrast between data that is considered ‘sensitive’ in GDPR compared to NIST and ISO contexts.
Apart from the special categories of personal data in GDPR, there are obviously other types of information that might be considered sensitive in ISO or NIST contexts, e.g. date of birth.
3. Privacy Impact Assessment(PIA) vs. Data Protection Impact Assessment(DPIA)
While all three suggest carrying out privacy impact assessment (DPIA in GDPR), the circumstances that the assessment is required varies when it comes to NIST.
GDPR and ISO define almost the same circumstances focusing on whether processing of personal data/PII is in large scale or/and systematic. In contrast, when it comes to NIST, PIA is required when PII in identifiable form (e.g. name and SSN) is to be processed either in a new way or by a new IT system.
4. Privacy risk assessment vs. –
In both NIST and ISO contexts, there is a concept of ‘privacy risk assessment’, which is different from privacy impact assessment (PIA). In contract to PIA, which is carried out on special ‘high risk’ circumstances, privacy risk assessments are carried out along with security risk assessments in a periodic and systematic cycle to evaluate all privacy issues pertaining to processing PII, regardless of risk level.
To the best of my knowledge, this concept has not been explicitly addressed in GDPR. However, there are several places in GDPR, which the term ‘risk’ might be implicitly referring to the same concept.
Recent Comments