No. A privacy framework describes a set of standards or concepts around which a company bases its privacy program. Typically, a privacy framework does not attempt to include all privacy-related requirements imposed by law or account for the privacy requirements of any particular legal system or regime. As a result, a company can utilize a
International Organization for Standardization (ISO)
Thinking beyond the law: Does the ISO 27701 privacy framework use the same principles that are found within the ISO 29011 framework?
The ISO 29100 privacy framework sets forth the following eleven core principles:
- Consent and choice
- Purpose legitimacy and specification
- Collection limitation
- Data minimization
- Use, retention and disclosure limitation
- Accuracy and quality
- Openness, transparency, and notice
- Individual participation and access
- Accountability
- Information security
- Privacy compliance
The ISO 27701 privacy framework is not explicitly organized using the…
Thinking beyond the law: If our organization adopts the ISO 27701 privacy framework, how many controls do we need to address?
While theoretically an organization could adopt ISO 27701 as a separate standalone framework to apply to an organization’s privacy program, the framework was conceptualized as an extension of the ISO data security standards. As a result, it is organized based upon the assumption that an organization already has a security program that is built off…
Thinking beyond the law: What is the ISO 27701 privacy framework?
In 2019, the International Organization for Standards joint technical committee ISO/IEC JTC1, Information technology subcommittee SC27, developed a privacy framework that was intended to build off of the existing ISO data security standards – i.e., ISO/IEC 27001:2013 (Information security management systems) and ISO/IEC 27002:2013 (Code of practice for information security controls) – by integrating into…
Does ISO 27701 adopt different terminology than ISO 29100?
No. ISO 27701 utilizes the same terms, definitions, and abbreviations as ISO 29100.
Does the ISO 27701 privacy framework tell companies how to score themselves?
Unlike other privacy frameworks that recommend that companies be scored or self-score using a maturity model (e.g., a score from one to four), the ISO 27701 privacy framework (much like its predecessor ISO 29100) does not identify a specific methodology for assessing compliance or maturity.
Does the ISO 27701 privacy framework use the same principles that are found within the ISO 29011 framework?
The ISO 29100 privacy framework sets forth the following 11 core principles:
- Consent and choice
- Purpose legitimacy and specification
- Collection limitation
- Data minimization
- Use, retention, and disclosure limitation
- Accuracy and quality
- Openness, transparency, and notice
- Individual participation and access
- Accountability
- Information security
- Privacy compliance
The ISO 27701 privacy framework is not explicitly organized using the…
How is the ISO 27701 privacy framework organized?
While theoretically an organization could adopt ISO 27701 as a separate standalone framework to apply to the organization’s privacy program, the framework was conceptualized as an extension of the ISO data security standards – i.e., a company would ideally be certified in both data security and data privacy. As a result, it is organized based…
What is the ISO 27701 privacy framework?
The International Organization for Standards, better known simply as ISO, is an international standard on how organizations should manage information security. Organizations can obtain a certification from an accredited assessor that it is compliant with ISO security standards.
In 2019, ISO developed a privacy framework that was intended to build off of the existing ISO…
Do companies have to create an internal privacy policy (not a privacy notice) under the ISO 29100 privacy framework?
One of the provisions in the ISO 29100 privacy framework is that the top management of an organization should “establish a privacy policy” that, among other things:
- Provides an internal organizational framework for setting objectives,
- Includes a commitment to satisfy applicable privacy safeguarding requirements,
- Includes a commitment to continual improvement.
The privacy policy envisioned under…