Whatever business you’re in today, you’re in the data privacy business. This isn’t a problem that just affects chief data officers or IT security departments anymore. It’s a problem that spans across organizations affecting human resources, customer service representatives, and more generally anyone who comes into contact with personal data.
With the number of cyber-attacks against businesses on the rise, cybersecurity is a growing concern. The question then becomes : How can organizations manage people’s private information ? New privacy regulations introduced by governments in recent years, such as the European Union General Data Protection Regulation (GDPR) or the California Consumer Privacy Act, require companies to respond. But with different countries developing different regulations for data privacy, how can global corporations such as Microsoft ensure seamless data protection ?
The recently published ISO/IEC 27701, Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines, helps companies manage their privacy risks for personally identifiable information. It can also help companies comply with GDPR as well as other data protection regulations. Drafted under the joint stewardship of ISO and the International Electrotechnical Commission (IEC), it is the world’s very first global privacy standard. Here, Jason Matusow, General Manager of Microsoft’s Corporate Standards Group, gives us the low-down on this groundbreaking standard.
ISOfocus: ISO/IEC 27701 is the first privacy information management system standard, or PIMS for short. Can you tell us a bit about the standard? What makes it so groundbreaking?
Jason Matusow: The first thing about ISO/IEC 27701 is that it’s an easy and efficient way to address the issue of spreading consistent data processing practices across an organization. Although cybersecurity and privacy are interrelated, in many organizations they are still treated as different projects. The smart move with ISO/IEC 27701 – and my compliments to the experts who developed it – was to attach the standard to the cybersecurity world via the ISO/IEC 27000 series on information security management systems, to which thousands of companies are already audited each year. By layering PIMS on top of that structure, the cybersecurity community in an organization can work together with the privacy community to establish data processing practices that encompass both security and privacy considerations.
PIMS takes into account the need to think about data protection holistically. In GDPR, like many other privacy laws around the world, there’s a requirement for companies to have a data protection officer. One of the big challenges for these people is how to create effective documentation; in other words, how do you work across a whole organization to establish evidence that you’re handling the data processing of information correctly? The PIMS process allows you to build out more comprehensive operations for privacy and then to establish documentation and behaviours that are represented externally.
There’s a prevailing dynamic in data privacy which is that everyone is very focused on the regulators. But the underpinnings of business are the business-to-business relationships – contracts. Microsoft has thousands of companies in its supply chain, and we are in the supply chain of thousands of other companies, so the representation of good data processing behaviours becomes a real question mark in that whole chain. What PIMS does is enable that evidence of good behaviour. Trust comes with verification, and that verification is based on good PIMS practices.
Can this new standard help companies achieve compliance with the GDPR, or the California Act, for example?
At this point in time, there is no standard that is identified as a representation of legal compliance for privacy, so there’s a lot of discretion right now in Europe as to how regulation is interpreted by companies, and that includes Microsoft. The standard isn’t about having a clear path that leads to legal compliance – that doesn’t exist today. It’s about strong practices, good hygiene, establishing responsible behaviours that are documented, that are repeatable and that have the ability to get better over time. Because one of the main things about a processing management system is its focus on continuous improvement.
It’s important to note that there is not one privacy law; there could be as many as 30 of them… GDPR, the California Act, and countries like Australia or Japan all have their own. One of the things that makes PIMS so interesting is that it embodies a consistent set of privacy practices (i.e. controls) that can be mapped against any privacy law.
Technology is constantly evolving and companies must adapt. Do you see ISO/IEC 27701 still being useful in a couple of years’ time?
The fact that technology moves on means you can never say “we’ve got it sorted and therefore we can hold still”. It just doesn’t work that way. Every business is evolving every day. A standard like ISO/IEC 27701 creates the opportunity for a consistency of approach while being flexible enough to adapt to the changes that happen underneath.
An important notion to master is the privacy impact assessment, which is a systematic process for evaluating the potential effects of your system on privacy. Although this is not a feature of the standard itself, ISO/IEC 27701 does have a requirement for a scope of applicability, where a company is called upon to measure the impact of its data processing in a given context. The standard then provides a series of controls to counteract that impact, which can be mapped against the law, either the GDPR specifically, or the Australia, Japan or California privacy laws. It’s the combination of these pieces put together that can get you across the line of responsible practices for data protection. Think of it as a journey, not a destination!
What’s at stake for Microsoft? Why has it been such a big supporter of the standard?
That conversation starts essentially with our customers. The reality is that the standard allows the people who are working in cloud services, and using our technologies, to join forces with Microsoft, taking steps forward together and making assertions about good data management practices collectively. ISO/IEC 27701 plays that central role in building a harmonized conversation between organizations. It’s critical in the conversation you can have with regulators, but it’s really also about the business-to-business relationships.
PIMS is a valuable asset in the use of information technology in any business, so our primary interest has been in having the solid privacy approach that our customers need. The next step is about our own behaviours. But I will say this, our operations for privacy have reached well beyond the process to qualify for, let’s say, a PIMS audit at some point. That’s something we are committed to doing, and ISO/IEC 27701 is part of our audit process.
Microsoft has extended GDPR protections to all citizens in the world using our technologies. If we are going to do the essential engineering work and the ongoing improvements to make our systems respectful of citizens’ data, then we have to approach it in a constructive, holistic way. PIMS will be able to layer on top of that to put the practices we already have within the framework of a third-party audit.
What does it mean for a business to adopt ISO/IEC 27701? Can you tell us a little more about what’s involved?
As I mentioned before, this standard builds on the ISO/IEC 27000 series, so PIMS involves taking that holistic route and accepting that it will require the engagement of an information security management system, which can later be extended to privacy. It’s about looking at your systems and processes, and then establishing controls. Think of a control as a prescriptive behaviour that you have committed to follow; in time, it will become a repeatable behaviour that you can then document.
That’s a job for the data protection officer whose primary responsibility is to make sure the company is adhering to its impact assessments. However, larger companies will ultimately call on an external compliance organization to help them think through all the systems they need. In a nutshell, though, the controls you put in place should span everything from the collection of data, use of data, disposal of data, how you handle data breaches, how you notify customers, and everything else that might be in that chain of thinking.
What does the future hold for Microsoft with regard to standardization?
I will break that question down into two different concepts. First of all, not all standardization is the same. On the one hand, we have technical specifications like Bluetooth or Wi-Fi or other such protocols. These are done by Microsoft’s product groups on an as-needed basis. And within that space, one of the most interesting things to emerge over the last five years has been the massive growth in open source software. The way in which people are solving collaboration problems has not necessarily been in the traditional standards context, but via collaborative development in an open source context. That doesn’t mean standardization is going away, but the landscape is changing significantly.
On the International Standards side, the type developed by ISO and its partner organizations, the International Electrotechnical Commission (IEC) and the International Telecommunication Union (ITU), I think people are really looking at the growth of regulation and how standards act as “soft law” in relation to regulation. How does PIMS stand between the existing laws and the behaviours of an organization? You need something in between them and standards can play a central role in bridging the gap. They are particularly helpful in dealing with the diffusion of regulatory approaches, for example reconciling Australia’s privacy laws with those of the GDPR. So the incredibly important role that ISO/IEC 27701 can play is to act as a Rosetta stone between the different regulatory approaches.
It’s a very powerful thing!