GDPR: Do you have a PIMS that holds up?
Interview with Lëtzebuerger Gemengen, translation by itrust consulting.
On 28 May 2018, the General Data Protection Regulation (GDPR) came into force in the EU. Three and a half years later, many organisations are slow to comply, considering it too complex. For Carlo Harpes, the situation is worrying. The Managing Director of itrust consulting recommends PIMS, a Privacy Information Management System, helping companies in order to comply with the GDPR requirements.
What is a PIMS?
A ‘privacy information management system’, abbreviated ‘PIMS’ even in French, is an ‘information security management system that manages the protection of privacy as potentially affected by the processing of personal data’. Personally, this is what I would have called a ‘management system to protect personally identifiable information’ and I would present it as a way to comply with the GDPR. To implement this, there are 1,001 solutions, usually valid for small organisations where data protection is not the primary concern. But for the past 26 months there has been one PIMS, which has been described so precisely that organisation can be certified on this basis, the one documented in ISO/IEC 27701.
Who needs it?
3,5 years was not enough time for most organisations to comply with the GDPR. How many have not appointed a DPO (although this is a legal requirement for any public entity)? How many do not have a register of processing that complies with the requirements? How many cannot prove to the CNPD their compliance with the principles of the GDPR, including the one requiring ‘appropriate technical and organisational measures’? Faced with the difficulty of knowing what is appropriate and how to demonstrate it, leaders (policy makers, mayors, heads of administration, CEOs and manging directors), often give up and hide behind the non-compliance of their neighbours. From my observations, this situation is worrying, and only the CNPD, which has the obligation to sanction, should be aware of this state. All the organisations involved here would have benefited from this PIMS.
Who defined this PIMS?
The Luxembourgish authority ILNAS, which I represented at ISO in multiple expert meetings dedicated to this standard since 2014, was arguing with its European partners for a fast and fully GDPR compatible standard. To support compliance with these requirements, we have made numerous suggestions for improvements to the overly complicated numbering and certain overly cumbersome wording. In France, the CNIL has welcomed its participation and encourages the adoption of this standard while leaving organisations the possibility to opt for other systems to create evidence of accountability.
Who supports PIMS in Luxembourg?
In Luxembourg, unfortunately, the CNPD has not communicated on this standard, which I perceive as a strategic mistake probably due to the absence of CNPD representatives at ISO or a lack of knowledge of management systems at all. This misjudgement also led it to create a national certification framework in 2018, which aimed at a Luxembourg certification that was very expensive to obtain, and I dare say, economically unjustifiable in the absence of international recognition. Given the multiple inaccuracies in the criteria for this certification, the establishment of dedicated certification processes (instead of using the recognised ISO 17065 process that has been practised for decades) the initiative remained an unused flop and the collateral damage remains the lack of support for other more mature and affordable standards and approaches.
So is the CNPD partly responsible for poor compliance?
Absolutely not. Every citizen is accountable to the law, and in no case can the police be held responsible for a crime they have not detected. Criticising the CNPD is a way for some people to look away from their own responsibilities. Of course, the CNPD also has an information and awareness-raising mission. They could have done more, but they have done this at other levels.
Where and how to get PIMS certification?
From any foreign certifier or from the only accredited certifier in Luxembourg, Certi-Trust, which issues certification under internationally recognised accreditation. Due to lack of demand, ISO/IEC 27701 certification is not yet available. In the meantime, a certification against ISO/IEC 27001 with an indication on the certificate of the full implementation of the ISO/IEC 27701 measures is possible. itrust consulting obtained it on 9 June 2020.
What are the advantages of this certification?
In the preparation of this certification, itrust consulting has made extensive use of this standard to draw up a data protection policy which lists all the measures proposed in this standard, the implementation choices and internal guidelines, e.g. references to other security measures, internal documentation or an indication of the responsibilities and processes to be followed by the employees. Thus, this policy, together with a risk analysis report and the register of processing activities, is the cornerstone for demonstrating that data are adequately protected, independently of a certification.
During an external audit by the certifier, the conformity to this policy and the correct application of the measures were verified. Without being able to guarantee 100% that there will be no incidents, this inspires the confidence of our clients, and ultimately of most Luxembourg citizens whose data might be processed by us.
‘3,5 years after the entry into force of the GDPR and 26 months after the definition of a PIMS’
What is the cost of certification and its limits?
The cost of certification (including audit) is on average 4 000 euros per year for an organisation with less than 25 employees but increases logarithmically with this number. An organisation that does not have adequate systems in place could have to spend up to 50 000 euros on consultancy, preparation and implementation of processes and measures. Of course, the cost is theoretically zero for companies that are already managing security and data protection in the right way. The costs of business process-specific security measures can also be substantial. However, these measures are not imposed by certification if this is aligned with the risk appetite and if the residual risk is accepted. In other words, certification does not ensure that there are no risks, nor that there is compliance with the GDPR, but only that all risks and compliance issues have been fully detected, understood and accepted by top management and that the interests of data subjects have been respected.
What is the philosophy behind the PIMS of ISO/IEC 27701?
This PIMS is based on the information security management system, i.e. on specific requirements related to understanding the context, leadership, planning, support (e.g. staff training), day-to-day operation of processes, performance evaluation. In other words, it starts from the idea – often overlooked from a legal perspective – that it is pointless to spend time reviewing the specific rights of a data subject if the processing fails to protect the confidentiality, integrity, and availability of the information (CIA). However, protecting CIA is not sufficient in terms of privacy protection: risks shall be considered from the perspective of the data subjects and the rights of the data subjects under any applicable legislation. These requirements are comprehensively reflected in 48 controls that are set out in the standard with requirements and implementation guidance. It is also guided by pragmatism and the fact that a law is not complied because of penalties, but by upgrading the management of any organisation that must comply with it.