Global standards vary from stakeholder natures, functioning, and deliverables. The core agenda of this exercise was to find a few globally certified standards in the DPP space that fit each of these roles:

  • Product owner: A product owner is an entity that owns, governs, or controls the product's codebase. They are responsible for its architecture design, roadmap, and versions.

  • Implementing agencies: An agency that deploys and configures a product for the program owner is an implementing agency (IA).

  • Programme owners: A “programme owner” is an entity responsible for delivering specific public goods, services, or social welfare. A Program owner is usually a government entity.

Global Standards For All

Product Owner

Depending on the nature of the work, the product owner undertakes the NIST Privacy Framework as a direction for standardisation.

What is it?

  • The privacy framework comprises three parts: Core, profiles, and implementation tiers.

  • Each component reinforces privacy risk management by connecting business and mission drivers, organisational roles and responsibilities, and privacy protection activities.

  • The core enables a dialogue — from the executive level to the implementation/operations level — about important privacy protection activities and desired outcomes.

  • Profiles enable the prioritisation of the outcomes and activities that best meet organisational privacy values, mission or business needs, and risks.

  • Implementation tiers support decision-making and communication about the sufficiency of organisational processes and resources to manage privacy risk.

The advantages of NIST are:

  • It pushes for privacy engineering functions to be embedded in the design of the software.

  • It promotes transparency as the guidelines are communicated to implementing agencies (IAs) and programme owners.

  • It enhances trust as it encourages proactive privacy measures to be taken from the design stage itself.

  • It streamlines operations by embedding privacy into the functional and design practices, avoiding costly retroactive changes.

Implementing Agencies/Programme Owners

An IA’s core responsibility is to deploy the product. Its functions require hands-on functions of customisation, configuration, training, and support. The IA ideally has complete access to the data of citizens. For an IA getting certified under ISO 27701 is recommended. This certification requires a certification to ISO 27001 as a first step.

Why ISO 27701?

The upcoming Digital Personal Data Protection Bill will require companies that are eligible to be an IA to undergo steps similar to those in ISO 27701.

The steps/key components of ISO 27701's Privacy Information Management System (PIMS) are:

  • Privacy risk management: ISO 27701 will require an IA to identify and assess privacy risks associated with the processing of Personally Identifiable Information (PII) and implement appropriate controls to mitigate these risks.

  • Privacy policy and procedures: ISO 27701 requires an IA to develop and implement privacy policies and procedures that are aligned with the administering authority’s overall information security policies and procedures.

  • Data subject rights: ISO 27701 requires the IA to establish procedures for handling data subject requests, such as access, rectification, and erasure of personal data. With such a feature embedded, the citizens would be allowed to exercise their right to privacy.

  • Privacy training and awareness: ISO 27701 requires an IA to provide privacy training and awareness programs to employees and other stakeholders to ensure that they understand their roles and responsibilities in protecting PII.

  • Incident management: ISO 27701 requires an IA to establish procedures for managing privacy incidents, including breach notification, investigation, and remediation.

  • Third-party management: ISO 27701 requires an IA to establish procedures for managing third-party relationships that involve the processing of PII, including due diligence, contract management, and monitoring.

  • Assurance: ISO 27701 assures senior members of administrative authorities, and other stakeholders, such as citizens and partners that the organisation is committed to protecting Personally Identifiable Information (PII) and has implemented international best practices for privacy management.

  • Trust: ISO 27701 can help organizations build trust with stakeholders by providing tangible evidence of their commitment to protecting PII.

  • Compliance: ISO 27701 supports compliance with globally recognised data protection and privacy regulations such as GDPR, CCPA, and others.

  • Risk management: ISO 27701 helps the IA identify and mitigate privacy risks, reducing the likelihood of data breaches, reputational damage, and financial losses.

  • Global standard: ISO 27701 is a respected global standard for privacy information management and can be used by agencies of all sizes and from all sectors.

  • Integration: ISO 27701 is an extension of ISO 27001, meaning it can be integrated with an existing Information Security Management System (ISMS) to enhance privacy management and compliance efforts.

In conclusion, by getting certified under ISO 27701, implementing agencies can demonstrate their commitment to protecting PII, build trust with stakeholders, comply with data protection and privacy regulations, and improve their privacy risk management efforts.