ISO 27701: Privacy by Design and by Default
The ISO/IEC 27701 standard is a privacy extension to ISO/IEC 27001. It provides a comprehensive framework for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). Omnicom integrates these principles into all its development processes to ensure privacy by design and privacy by default.
Understanding ISO/IEC 27701
ISO/IEC 27701 specifies requirements and provides guidance for a PIMS, making it an essential tool for demonstrating compliance with data protection regulations like the GDPR. It is not a standalone standard; it builds upon the foundation of an ISO 27001 Information Security Management System (ISMS).
Core Concepts: PIMS and its Relation to ISMS
A Privacy Information Management System (PIMS) is a governance framework focused on managing and protecting Personally Identifiable Information (PII). It extends the risk management principles of an ISMS to cover privacy-specific risks.
Key concepts introduced by ISO 27701 include:
- PII Controller: An entity that determines the purposes and means of the processing of PII. (e.g., Omnicom when processing employee data).
- PII Processor: An entity that processes PII on behalf of a PII controller. (e.g., Omnicom when processing customer data on behalf of a client).
The standard provides specific controls and guidance for both roles, ensuring that privacy obligations are met regardless of how PII is being handled.
Key Clauses and Developer Relevance for Osborn
For developers on the Osborn project, ISO 27701 translates high-level privacy principles into actionable requirements that must be implemented within our Django backend and React frontend. Personnel involved in solution architecture and design must have knowledge of this standard.
Depending on the context, the Osborn platform may act as both a PII Controller (for its own user data) and a PII Processor (when handling client data). The principles below apply in both cases.
Clause 7: PIMS-specific guidance related to PII Controllers
When Osborn acts as a PII Controller, developers must implement features that directly support these obligations:
- 7.2 Conditions for collection and processing:
- Developer Action: In the React frontend, implement clear and granular consent mechanisms (e.g., checkboxes in registration forms). In the Django backend, ensure the
Usermodel can record when and how the user consented.
- Developer Action: In the React frontend, implement clear and granular consent mechanisms (e.g., checkboxes in registration forms). In the Django backend, ensure the
- 7.3 Obligations to PII principals (Data Subjects):
- Developer Action: Build a user profile page in the Next.js application that allows users to exercise their rights, such as accessing, rectifying, or requesting the deletion of their data via API calls to the backend.
- 7.4 Privacy by design and by default:
- Developer Action:
- Data Minimization: When creating a Django model, only include fields that are strictly necessary. For example, if we only need a user's country for analytics, do not collect their full address.
- Purpose Limitation: Ensure that PII collected for authentication is not used for marketing without separate consent.
- Privacy-Enhancing Technologies (PETs): Implement data masking for non-production database seeds.
- Developer Action:
- 7.5 PII sharing, transfer, and disclosure:
- Developer Action: Ensure all communication between the React frontend and the Django backend is over HTTPS. Any data sharing with third parties must be done via secure, authenticated APIs.
Clause 8: PIMS-specific guidance related to PII Processors
When Osborn acts as a PII Processor for a client, the focus shifts to fulfilling contractual obligations:
- 8.2 Obligations to customers:
- Developer Action: The Django backend must be designed to process PII only according to the documented instructions of the customer, with logic to enforce data segregation in our multi-tenant architecture.
Integration with the Osborn SDLC
Omnicom's commitment to ISO 27701 is embedded throughout the Osborn SDLC:
- Requirements Analysis:
- Define and document privacy requirements in the Jira task.
- Architecture and Design Phase:
- Incorporate privacy by design principles into the AWS architecture.
- Perform Privacy Impact Assessments (PIA) in OneTrust before development begins.
- Development Phase:
- Implement features for consent management and data subject rights in the React/Django stack.
- Apply secure coding practices with a focus on protecting PII.
- Testing Phase:
- Explicitly validate that privacy requirements have been met.
- Test data subject rights functionality to ensure it works correctly.
- Operations/Maintenance:
- Establish clear procedures for handling data breaches.
- Implement and enforce data retention policies in the Django backend.