In an era where data is often described as the “new oil,” organizations worldwide grapple with an ever-expanding landscape of privacy regulations. In the Philippines, the Data Privacy Act of 2012 (RA 10173) imposes strict requirements on how personal information is collected and processed; additionally, regulations from other parts of the world, such as the EU’s General Data Protection Regulation (GDPR), set a high bar for modern privacy laws.
For several years, ISO 27701 has offered a structured, globally recognized way to meet these evolving demands by building on ISO/IEC 27001’s information security framework. The new version of ISO 27701, which should be finished in early 2025, promises a more independent approach to Privacy Information Management Systems (PIMS). This means that more organizations can use the standard, no matter what security certifications they already have.
What is a Privacy Information Management System (PIMS)?
A Privacy Information Management System (PIMS) is a set of processes, policies, and technologies that organizations use to manage personal data responsibly. Think of it as a roadmap that covers:
- Data Collection and Storage – How do you gather personal information, and where do you keep it?
- Consent Management – How do you make sure individuals have agreed to share their data in a lawful way?
- Data Processing – Who has access to personal data, and how is it being used?
- Risk Management – What systems are in place to spot potential security or privacy issues early?
- Compliance and Reporting – How do you demonstrate to regulators, customers, and partners that you’re following privacy laws and best practices?
By having these elements in one unified system, businesses can quickly adapt to new regulations, reduce the risk of data breaches, and show that they are taking privacy protection seriously.
ISO 27701 in a Nutshell
ISO 27701, originally introduced in 2019, was designed to extend ISO/IEC 27001—the global benchmark for information security—to include privacy-specific requirements, offering organizations a systematic way to handle personal data while meeting multiple global regulations. Under the 2019 version, an ISO 27001–certified Information Security Management System (ISMS) was required to achieve ISO 27701 certification, which sometimes limited smaller or non-tech organizations that preferred a more direct route to privacy certification.
ISO 27701 – What’s Changing?
- Standalone Management System
Current indications of the updated ISO 27701 suggest that it will allow organizations to implement a PIMS without requiring full ISO 27001 certification. This opens the door for companies that already have security measures in place (but not necessarily ISO 27001) to focus specifically on data privacy. - Refined Controls
To keep the focus on privacy, about 52 non-privacy-related controls from ISO/IEC 27001 might be removed, making the standard leaner and easier to implement. Around 10 new controls—covering modern challenges like cloud services and threat intelligence—will be added. - Broader Compatibility
ISO 27701 will still align with other ISO frameworks—particularly ISO 27001, ISO 29100, and future updates—so any existing efforts or certifications remain valuable. Organizations can pick and choose the elements that best fit their structure while still maintaining comprehensive privacy protection.
Why a Standalone PIMS Matters for Philippine Organizations
For businesses operating in the Philippines, where local rules complement global regulations, a standalone PIMS aligned with ISO 27701 can be especially beneficial:
- Tailored Compliance- Focus on privacy-specific controls addressing both the Philippine Data Privacy Act and international standards.
- Simplified Implementation-Reduce administrative overhead by narrowing the scope to essential privacy measures, saving time and resources.
- Future-Proofing- Integrate seamlessly with any existing ISO standards already adopted, ensuring smooth updates and ongoing compliance.
How to Prepare for ISO 27701
- Stay Informed and Consider Expert Guidance
Monitor announcements from ISO and local regulatory bodies—such as the National Privacy Commission, to anticipate any changes and plan effectively. Additionally, seek expert guidance from external consultants or third-party auditors to ensure you don’t miss crucial controls or documentation requirements.
- Evaluate Your Current State
Assess your existing data privacy measures and identify any gaps. This will help you prioritize areas that need improvement before moving forward with ISO 27701 compliance efforts.
- Conduct Training and Awareness
Provide comprehensive training for staff so they understand the importance of data privacy and their responsibilities. Regular awareness programs help foster a culture of compliance.
- Set Clear Objectives
Define measurable goals to track your progress toward ISO 27701 compliance. Align these objectives with broader business aims to ensure consistency and support from key stakeholders.
- Establish Documentation
Maintain thorough documentation of policies, procedures, and operational controls. Proper record-keeping creates a transparent, audit-ready environment and makes it easier to verify compliance.
- Implement
Put your plans into action, continuously monitor the results, and adjust as necessary. Regular reviews will help you stay on track and address any emerging requirements efficiently.
- Audit and Management Review
Conduct regular audits and management reviews to confirm that your privacy management framework meets ISO 27701 requirements and supports ongoing compliance.
Conclusion
As global privacy regulations continue to evolve, the forthcoming ISO 27701 represents a significant step toward a more accessible, privacy-focused framework—one that acknowledges organizations may not all start from the same place.
By adopting a standalone PIMS tailored to ISO 27701 updated guidelines, organizations can reduce complexity, safeguard personal data more effectively, and demonstrate a commitment to responsible business practices. In a world where data privacy and security demands are only set to grow, preparing for these changes now is a strategic move that can pay dividends in credibility and trust.To help you on your Data Security Management journey, ECC International offers guidance and support at every step—from initial assessment through to comprehensive training—ensuring you’re well-prepared for the future of privacy management. Connect with us or visit this link for more information
