Based on online data, GDPR fines increased by 40% in 2020, compared to the previous years since the law came into force, and they are expected to increase even more in the upcoming years. In this light, organizations are facing challenges when it comes to compliance with the increased number of data privacy laws and regulations worldwide. The webinar covers • ISO/IEC 27701 standard and its requirements • GDPR requirements and principles mapped against ISO/IEC 27701 • An overview of CCPA requirements • Upcoming US privacy laws Find out more about ISO training and certification services Training: https://pecb.com/whitepaper/iso-27001-information-technology--security-techniques-information-security--management-systems---requirements https://pecb.com/en/education-and-certification-for-individuals/iso-iec-27701 Webinars: https://pecb.com/webinars Articles: https://pecb.com/article Whitepapers: https://pecb.com/whitepaper ------------------------------------------------------------------------------- For more information about PECB: Website: https://pecb.com/ LinkedIn: https://www.linkedin.com/company/pecb/ Facebook: https://www.facebook.com/PECBInternational/ Slideshare: http://www.slideshare.net/PECBCERTIFICATION YouTube video: https://youtu.be/QGqJsh4kedM Website link: https://pecb.com/

2. Agenda
1. Introduction to the speakers - Toks Oyegunle
& Samuel Plantie
2. Introduction to the standard - ISO/IEC 27701
3. A Privacy Management Maturity Map
4. The benefits of Implementing a PIMS
5. The Structure of ISO/IEC 27701
6. ISO/IEC 27701, the GDPR and US Regulations
– A few basics
7. High level GDPR provisions
8. GDPR, US laws and ISO 27701: similarities
and differences
9. Questions & Answers

3. • Privacy and Cybersecurity Management Specialist
• 27 years experience in IT, Project Management Privacy
and Cybersecurity in multiple industries
• Principal Consultant, Coach and NED
• Helped companies resolve many challenges, including
GDPR Compliance and ISO/IEC 27701 implementation,
audits and training
• Multiple Certifications across Privacy and Security
• Studied Computing (BSc); Business Systems Analysis
and Design (MSc); Harvard Business School Alumnus
Toks Oyegunle – An Introduction
www.linkedin.com/in/toksoyegunle

4. • Privacy Counsel at Outbrain
• Data Protection Expert and an IP/IT Lawyer
with over 6 years of experience
• Focus on consumer and competition law
issues in the digital market, AI, data ethics, the
articulation of blockchain technology with
data protection and digital advertising
• PhD in Law, CIPP/E, CIPM, and Fellow in
Privacy
Samuel Plantié – An Introduction
https://www.linkedin.com/in/splantie/

5. Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy
information management – Requirements and guidelines
• Specification for a Privacy Information Management System (PIMS)
• A globally recognised International Standard from the ISO
• Information Security Based: An extension to ISO/IEC 27001 (ISMS)
• Regulation agnostic - applicable to all global data protection regulations
• May be aligned with or certified against
• Can be independently audited
• Clients are increasingly asking for ISO/IEC certification as condition
precedent
Introduction to ISO/IEC 27701 - The Privacy
Management Standard

6. A Privacy Management Maturity Map

7. 1. Adopts a risk based approach to data protection management
2. Creates increased structure for data protection activities and management
3. Builds trust in the perceived ability to manage personal data for all
stakeholders
4. Supports compliance with the GDPR and all other privacy regulations
5. Facilitates continuous improvement to adapt to internal and external
changes
6. Embeds personal data management into the organisations culture
7. Provides increased independent assurance via Audits, Certification,
Reputation to all stakeholders
The Benefits of Implementing a PIMS

8. 1. Scope
2. Normative references
3. Terms and definitions
4. General
5. PIMS-specific requirements related to ISO/IEC 27001
6. PIMS-specific guidance related to ISO/IEC 27002
7. Additional ISO/IEC 27002 guidance for PII controllers
8. Additional ISO/IEC 27002 guidance for PII processors
The structure of ISO/IEC 27701

9. 1. Annex A: PIMS specific reference control objectives and controls (PII
Controllers)
2. Annex B: PIMS specific reference control objectives and controls (PII
Processors)
3. Annex C: Mapping to ISO/IEC 29100 (Guidance for defining a Privacy
Framework)
4. Annex D: Mapping to General Data Protection Regulation (GDPR)
5. Annex E: Mapping to ISO/IEC 27018 (PII Processors providing cloud services)
and ISO/IEC 29151 (Guidance and controls for PII controllers)
6. Annex F: How to apply ISO/IEC 27701 to ISO/IEC 27001 and ISO/IEC 27002
The Structure of ISO/IEC 27701

10. ISO 27701, the GDPR and
US regulations
Samuel Plantie

11. • General Data Protection Regulation (GDPR): a law effective since May 2018
on data protection and privacy containing requirements related to the
processing of personal data of individuals located in the EU (and the UK)
regardless of the location of the data controller
• California Consumer Privacy Act (CCPA): a law effective since January 2020
to enhance privacy rights and consumer protection for residents in California.
It will be supplemented by the Consumer Privacy Rights Act (CPRA) enforced
from July 2023
A Few Basics: The Different Laws

12. • Virginia Consumer Data Protection Act effective in January 2023
• Colorado Privacy Act effective July 2023
• Ohio bill: would require to have a NIST-compliant privacy program
A Few Basics: The Different Laws

13. • Although the GDPR provides for codes of conduct and certifications, no
general tool has been approved to this date (sector specific: cloud services,
cloud infrastructure service providers, or for DPOs)
• NIST Privacy Framework: a voluntary tool to help organisations identify,
assess and mitigate privacy risks for their privacy programme (not a
certification)
• ISO/IEC 27701: an extension to the ISO 27001 standard (information security
management system) to cover personal data processing (not a GDPR
certification)
A Few Basics: Certifications and Codes of Conduct

14. • Material and territorial scope, definitions and principles, purpose, legal basis,
consent, children’s data, special categories of data
• Data Subject Rights (information, access, rectification, erasure, restriction,
data portability, object, automated decision-making)
• Controller, joint controllers and processors obligations
High Level GDPR Provisions

15. • Records of processing activities, security measures (high level), personal data
breach notification, privacy by design and by default (DPIA), mandatory
designation of a DPO
• International transfers
• Regulatory provisions, enforcement, EDPB, one-stop shop
High Level GDPR Provisions

16. • GDPR and ISO 27701 overlap in many areas. Most controls required for ISO
27701 enter into accountability requirements under the GDPR
• Same with CCPA and CPRA, Virginia Consumer Data Protection Act and
Colorado Privacy Act: many obligations under these laws are captured by the
controls of ISO 27701
GDPR, US Laws and ISO 27701: Similarities

17. • Definitions of personal data and personally identifiable information: GDPR is
broader
• ISO 27701 is a list of controls: ticking the control does not mean it is
compliant (e.g., data retention too long, unlawful purpose), it only helps
demonstrate your accountability and a standard to audit against
• Threshold and scope in US laws: only in private sector and with a minimum
revenue or volume of data processed. Only applicable to consumers (CPRA
applicable to employees)
GDPR, US Laws, and ISO 27701: Differences

18. THANK YOU
?
toks@saplyceum.com Toks K. Oyegunle
splantie@outbrain.com Samuel Plantie