Skip to Main Content
Main Menu
Standard

ISO 27550

The International Organization for Standardization (ISO) 27550, focuses on security techniques, establishes engineering guidelines designed to help entities to incorporate privacy engineering elements into various system lifecycle processes.

Who should use ISO 27550?

This voluntary international standard is directed towards engineers and practitioners involved in the development, implementation or operation of systems that need privacy consideration. Managers responsible for privacy, development, product management, marketing, and operations also find this standard beneficial.

Key obligations of ISO 27550

Risk management processes

Conduct a risk management process to identify, assess, and remediate systematic risks throughout the entire lifecycle of a system product and/or service. Perform supplementary analysis to identify risks associated with processing PII and system vulnerabilities, estimate risks’ possibilities and consequences, and prioritize mitigating them.

Implementation of data management controls

Establish system infrastructures that enable granular control over PII to implement key privacy principles such as maintaining data quality and integrity, achieving data minimization, and implementing individuals’ privacy preferences. Enable certain privileged stakeholders to administer changes to PII management and processing, ensuring fair treatment of individuals.

Safeguarding individual identities via disassociability

Disassociability actively conceals an individual’s identity and/or activities from unnecessary exposure during processing or transactions involving PII. Achieve disassociability through deploying cryptographic techniques, including anonymity, de-identification, unlinkability, unobservability, and pseudonymity.

Transparency

Provide individuals with information regarding the entire system lifecycle that covers actual and planned processing activities, including: why PII is needed for processing, the purpose of processing, and whether PII will be disclosed to third-parties.

Whitepaper

Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance

FAQs

  • What are the data subject rights that I must comply with?

    ISO 27550 does not establish explicit requirements for entities to comply with data subject rights. However, entities are required to develop system functionalities that enable individuals to control their PII and privacy preferences, and intervene in all privacy related data processing activities (e.g. request for data erasure and withdraw consent to processing).

  • Is there an obligation to obtain consent from individuals prior to collecting their PII?

    No, ISO 27550 does not provide explicit obligations to seek consent prior to collecting and processing PII. However, as a best practice, entities should comply with relevant data protection and consent obligations in the jurisdiction where processing will take place.

  • Do I need to designate an internal data protection officer?

    ISO 27550 does not establish explicit requirements for entities to designate a data protection officer. However, entities are required to create a point of contact with supervisory authorities who can intervene in data processing activities by requesting or enforcing the blocking, erasure or destruction of data or even shutting off the system.

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top