Privacy has taken on new dimensions in a hyper-connected world.
New guidance from IEC, ISO and ITU – the world’s three leading international standards bodies – has just been published, providing a code of practice for the protection of personally identifiable information.
The increasing prevalence of high-profile data breaches has motivated countries worldwide to investigate potential reforms to policy and regulation. One of the best-known examples is the European Union’s General Data Protection Regulation, due to come into force in May 2018, with global implications.
The need to protect personal data is growing in urgency with the digital transformation of sectors such as healthcare and financial services. More and more organizations are processing personal data, and all of them are dealing with increasing amounts of this data.
ISO/IEC 29151 | ITU-T X.1058 provides a valuable point of reference to government and industry as they intensify their bid to guarantee the protection of personal data. It establishes the objectives of data-protection controls, specifies the controls required and provides guidelines for their implementation. It also shows how arrangements of these controls can meet the requirements identified by organizations’ risk and impact assessments relevant to the protection of personal data.
The standard builds on ISO/IEC 27002 (code of practice for information security controls), with additional guidelines specific to personal data protection. Examples include proposed governance structures for employees handling personal data, matched with calls for efficient collaboration with legal teams to interpret relevant laws and regulations.
In addition, an annex integral to ISO/IEC 29151 | ITU-T X.1058 provides an extended set of controls for personal data, including control objectives relevant to “consent and choice” and the related “participation of personal data principals”, i.e. the people with whom data can be identified. It looks at “purpose legitimacy” to provide guidance as to whether or not the retention of personal data is appropriate and encourages the pursuit of “collection limitation” and “data minimization”, as well as the “openness and transparency” of organizational policy with respect to personal data.
ISO/IEC 29151 | ITU-T X.1058 was developed in collaboration by ISO/IEC JTC 1/SC 27, the ISO/IEC standardization expert group for security techniques, and ITU-T Study Group 17, responsible for building confidence and security in the use of information and communication technologies.
ISO/IEC 29151 can be purchased from the ISO Store or from your national ISO or IEC member.