Global Standards For All Roles
Introduction
Global standards per se vary from stakeholder natures, functioning and deliverables. The core agenda of this exercise was to find a few globally certified standards in the DPP space that fit for each of these roles:
Platform owner - a platform owner is an entity that owns, governs, or controls the platform's codebase. They are responsible for its architecture design, roadmap, and versions.)
Implementing agencies - An agency that deploys and configures a platform for the program owner is an implementing agency (IA)
Program owners - a ‘program owner’ is the entity responsible for the delivery of specific public goods, services, or social welfare. A Program owner is usually a government entity.
They per se require no certified standard to follow. The law of the land complied with is sufficient for them to showcase their proactive steps on DPP
Global Standards For All
Platform Owner
Depending on the nature of the work the platform owner undertakes the NIST Privacy Framework could be looked at as a direction for standardization.
What is it?
The privacy framework is composed of three parts: Core, Profiles, and Implementation Tiers.
Each component reinforces privacy risk management through the connection between business and mission drivers, organizational roles and responsibilities, and privacy protection activities.
The Core enables a dialogue—from the executive level to the implementation/operations level—about important privacy protection activities and desired outcomes.
Profiles enable the prioritization of the outcomes and activities that best meet organizational privacy values, mission or business needs, and risks.
Implementation Tiers support decision-making and communication about the sufficiency of organizational processes and resources to manage privacy risk
The advantages of NIST are:
It pushes for Privacy engineering functions to be embedded in the design of the software
It promotes transparency as the guidelines are clearly communicated to IA and POs
It enhances trust as it encourages proactive privacy measures to be taken from the design stage itself
It streamlines operations by embedding privacy into the functional and design practices, avoiding costly retroactive changes
Implementing Agencies/Program Owners
An IA’s core responsibility is to deploy the platform. Its functions require hands-on functions of customisation, configuration, training and support. The IA ideally has complete access to the data of citizens.
For an IA getting certified under ISO 27701 is recommended. This certification requires a certification to ISO 27001 as a first step.
Why ISO 27701?
The upcoming Digital Personal Data Protection Bill would require companies that are eligible to be an IA to undergo steps similar to those in the ISO 27701.
The steps / key components of ISO 27701's Privacy Information Management System (PIMS) are :
Privacy risk management: ISO 27701 would require an IA to identify and assess privacy risks associated with the processing of Personally Identifiable Information (PII) and implement appropriate controls to mitigate these risks.
Privacy policy and procedures: ISO 27701 requires an IA to develop and implement privacy policies and procedures that are aligned with the administering authority’s overall information security policies and procedures.
Data subject rights: ISO 27701 requires the IA to establish procedures for handling data subject requests, such as access, rectification, and erasure of personal data. With such a feature embedded, the citizens would be given a chance to exercise their right to privacy.
Privacy training and awareness: ISO 27701 requires an IA to provide privacy training and awareness programs to employees and other stakeholders to ensure that they understand their roles and responsibilities in protecting PII.
Incident management: ISO 27701 requires an IA to establish procedures for managing privacy incidents, including breach notification, investigation, and remediation.
Third-party management: ISO 27701 requires an IA to establish procedures for managing third-party relationships that involve the processing of PII, including due diligence, contract management, and monitoring.
Assurance: ISO 27701 provides assurance to senior members of administrative authorities, and other stakeholders, such as citizens and partners that the organization is committed to protecting Personally Identifiable Information (PII) and has implemented international best practices for privacy management.
Trust: ISO 27701 can help organizations build trust with stakeholders by providing tangible evidence of their commitment to protecting PII.
Compliance: ISO 27701 supports compliance with globally recognised data protection and privacy regulations such as GDPR, CCPA, and others.
Risk management: ISO 27701 helps the IA identify and mitigate privacy risks, reducing the likelihood of data breaches, reputational damage, and financial losses.
Global standard: ISO 27701 is a respected global standard for privacy information management and can be used by agencies of all sizes and from all sectors.
Integration: ISO 27701 is an extension to ISO 27001, meaning it can be integrated with an existing Information Security Management System (ISMS) to enhance privacy management and compliance efforts.
By getting certified under ISO 27701, implementing agencies can demonstrate their commitment to protecting PII, build trust with stakeholders, comply with data protection and privacy regulations, and improve their privacy risk management efforts.
Last updated