ISO/IEC 27701 is the first international standard that establishes the requirements and provides guidelines for the establishment, implementation, maintenance, and continuous improvement of a Privacy Information Management System (PIMS) in the form of an extension to the existing information security standard ISO/IEC 27001 and ISO/IEC 27002.
Issues related to the processing of citizens’ personal data and their free movement led to the creation of the General Data Protection Regulation (GDPR). GDPR requires the implementation of measures to protect sensitive data by organizations that process personal data in any way and sets the legal regulatory rules for the protection of personal data.
The compatible privacy management standard with GDPR and the Personal Data Protection Act of the Republic of Serbia is ISO 27701, which includes the requirements for introducing and implementing the standard as well as the possibility of certification. Therefore, ISO 27701 certification is carried out as an upgrade or through joint certification with ISO 27001, which is the basic standard for information security management systems.
ISO 27701 certification is applicable to all types and sizes of organizations, including public and private companies, government organizations, and non-profit organizations, that control or process Personally Identifiable Information (PII). There are two types of organizations and ways of managing personal data, which are divided into:
- Controllers: Organizations that only control data and have lesser responsibility as they do not process personal data but are obligated to store it securely and manage it in accordance with the provisions of the regulation, while ensuring that such information is treated as confidential.
- Processors: Organizations that collect and process data and have greater responsibilities regarding data management and manipulation because such data is often sensitive and valuable, requiring protection in all its stages.
The increasing misuse of personal data and the growing demand for its transfer or sale have led to concerns about privacy. The misuse of personal data for marketing purposes, as well as other criminal activities, is becoming more frequent. Therefore, the implementation of a Privacy Information Management System (PIMS) in accordance with the requirements and guidelines of ISO/IEC 27701 will enable organizations to assess, address, and mitigate risks related to the collection, maintenance, and processing of personal data using best practices worldwide.