Control area: 7.4 Privacy by design

The control area from 27002 examines how an organisation addresses PII privacy through design and the selection of controls to reduce PII loss.

Most data controllers and indeed processors of PII would try to limit the amounts of processing to reduce exposure to breaches or loss. But it is surprising how many organisations fail to build in any privacy by design solutions for PII within new business ventures holding PII.

A sensible solution is to limit the collection of PII and reduce to what is essential, adequate, relevant, and necessary to perform the contract.

A good feature to build into any privacy by design element is that of data quality and accuracy. Over the years the author has seen many organisations inherit databases with no assessment of the validity of the data or the legal basis for processing it.

Data cleansing is paramount but nowadays this is often overlooked with cost saving exercises. Without database validation an organisation may be processing data that is a) inaccurate b) out of date c) irrelevant d) false.

Processing PII on this basis could put the organisation in breach of its relevant jurisdictional supervisory authority and possible fines.

Data minimisation is a good way to reduce oversized databases and to ensure that the data controller is only collecting PII that is proportionate and necessary.

For further information and to book your ISO 27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: [email protected]

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.