IT systems are evolving rapidly: cloud-based solutions, artificial intelligence and automated processes are all making businesses, organizations, and communities more and more efficient. Compared to the 2 billion internet users in 2015, at the end of 2017 there were approximately 3.8 billion internet users worldwide. It is estimated that by 2022 there will be 6 billion internet users (75% of the population that will grow to 8 billion by then) and by 2030 they will reach 7.5 billion (90% of the projected 8.5 billion population). This increase of usage of IT technologies, and the ever growing number of internet users naturally mean more cyber-attacks and hacking activity, that come with a price: much more attention than usual has to be paid to IT security.
Governments around the world have responded with laws and regulations to reduce these threats and protect digital security, and put various data protection rules in place, such as the GDPR regulation by the European Union that all organizations must comply with. Recently, the world's first international standard has been published to help organizations handle personal information and comply with legal regulations. The new ISO standard helps companies meet the requirements, whatever their field of activity.
The new standard was developed by a committee of data protection experts, data protection authorities, information security experts and industry representatives, which helped to make the PIMS standard not only based on GDPR but also on knowledge of good data protection practices and standards in many member states. The main goal was to enhance the existing Information Security Management System (ISMS) with additional requirements in order to establish, implement, maintain, and continually improve a Privacy Information Management System (PIMS) in the form of an extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management within the context of the organization. Being a management system, it defines the processes of continuous improvement of data protection, which is especially important in a world where technological development does not stop. All this allows organizations of any size, area of activity or industry to protect and control the data they manage in a safe manner. – explains Rita Párkányi (partner) and Dénes Glavatity (associate) from KCG Partners Law Firm.
A special feature of the standard is that it was created for the purpose of providing a basis for the certification described under Article 42 of GDPR. The PIMS certification is a clear pathway towards the GDPR certification mechanism, which can prove to clients, employees and other third parties that the certified company is operating in accordance with GDPR requirements. It lays down practical guidelines, requirements and measures to ensure that a well operating GDPR-compliant data protection system is in place. This is also due to the fact that the GDPR framework of principles is translated into concrete controls and solutions in this standard. This solution also helps group-level businesses to develop a global data protection framework with the ability to comply with local rules.
It is worthwhile to get ready for a PIMS certification as soon as possible, which can be both a security and a business advantage for companies that handle personal data. The legal experts of KCG Partners, however, draw the attention to the fact that the standard is only available to companies that have already implemented the ISO/IEC 27001 ISMS standard, following the required certification process. Despite the risk of not complying with these rules, it is known that many companies simply are not yet ready and in the need of guidance. As there is a growing number of complaints and penalties for lack of data protection all over the European Union, it is clear that this standard is needed. Moreover, companies need to build trust with authorities, partners, clients and employees, to which this standard contributes significantly.
By Rita Parkanyi, Partner, and Denes Glavatity, Associate, KCG Partners Law Firm