ISO 27701 - Privacy Information Management System (PIMS)
The Trust Challenge

Key obligations Consequences of Authorized Usage of Personal Data

  • Inquiry with local authorities: The local authorities will inquiry the relevant person in charge of the Company, and gives warnings, penalties, and publicity of dishonesty for violations of laws and regulations.
  • Civil Liability: According to Article 10 of the Judicial Interpretation on September 4, 2019, the illegal use of personal information will be determined as the prescribed “serious circumstances” and its civil liability will be investigated.
  • Administrative responsibility: The Company that infringe on citizens’ personal information may impose administrative penalties on their principals in accordance with China Cybersecurity Law.
  • Loss of corporate reputation: Negative impacts on corporate competitiveness, brand image, and consumer confidence.
  • Business interruption: For companies that collect and use personal information in violation of laws and regulations, the relevant authorities can remove their APP or system, and order rectification within a time limit, or even revoke relevant business licenses or revoke their business licenses.

Data controllers are responsible for:

  • Creating privacy notices.
  • Implementing mechanisms to ensure that individuals can exercise their data subject rights
  • Adopting measures to ensure the data processing meets the GDPR’s principle of privacy by design and by default.

Data processors are responsible for:

  • Meeting the instructions set by the controller, therefore mitigating the risk that data is processed excessively or without a lawful basis.
  • Providing whatever information is necessary to help the controller complete a DSAR (data subject access request).
  • Informing data subjects in advance if personal data is being transferred between jurisdictions.
The Trust Challenge

Key Challenges in brief:

  • Under the ISO 27701, the data controller has to maintain the following key records, amongst others.
    • Personal data collected (“Data Inventory”)
    • Retention period for the personal data (“Data Minimization”)
    • Rights and methods in accessing the personal data (“Data Subject Rights”)
  • Organizations share the user data with various third parties, during the course of its business.
  • Organizations need to have knowledge of their entire "Data Footprint" to facilitate implementation of the ISO 27701.
  • Manually managing data mapping and inventory to adhere to CPA requirements is costly and time-consuming, but must be done within the stipulated period or the organization opens itself to sanctions.
  • Lack of provision or process to delete the data, despite the fact that the ISO 27701 mandates data deletion when the lawful basis for processing expires.
  • Organizations lack the mechanism of validating the permanent deletion of the data.
  • Too many regulatory requirements to juggle

    Using ISO 27701 as a unified system of data privacy operational control removes the need to focus on multiple regulations. As an international standard, ISO 27701 is designed to meet the requirements of data protection and GDPR, and to be flexible enough to be adapted to specific industry requirements. This enables companies to work within a single framework in meeting multiple regulatory requirements.
  • Too costly to audit regulation-by-regulation

    Internal and external auditors use ISO 27701 to determine regulatory compliance in one single audit cycle. This saves the organisation money compared to following a disjointed regulation-by-regulation audit process.
  • Promises of compliance without proof is potentially risky

    It is not enough for companies to follow best practice data privacy processes; they must also be able to prove compliance with laws and regulations. That means having a robust, integrated process for documentation. Businesses with complex processes may have multiple types of data controller and data processor, cloud providers and partner vendors. Inability to prove compliance with laws or regulations in any part of the supply chain could expose the business to financial and reputational risk.
Win-Win Situation

Solutions

Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments. TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

The Trust Challenge

Key obligations Consequences of Authorized Usage of Personal Data

  • Inquiry with local authorities: The local authorities will inquiry the relevant person in charge of the Company, and gives warnings, penalties, and publicity of dishonesty for violations of laws and regulations.
  • Civil Liability: According to Article 10 of the Judicial Interpretation on September 4, 2019, the illegal use of personal information will be determined as the prescribed “serious circumstances” and its civil liability will be investigated.
  • Administrative responsibility: The Company that infringe on citizens’ personal information may impose administrative penalties on their principals in accordance with China Cybersecurity Law.
  • Loss of corporate reputation: Negative impacts on corporate competitiveness, brand image, and consumer confidence.
  • Business interruption: For companies that collect and use personal information in violation of laws and regulations, the relevant authorities can remove their APP or system, and order rectification within a time limit, or even revoke relevant business licenses or revoke their business licenses.
Pointer

Controllers and processors:

Data controllers are responsible for:

  • Creating privacy notices.
  • Implementing mechanisms to ensure that individuals can exercise their data subject rights
  • Adopting measures to ensure the data processing meets the GDPR’s principle of privacy by design and by default.

Data processors are responsible for:

  • Meeting the instructions set by the controller, therefore mitigating the risk that data is processed excessively or without a lawful basis.
  • Providing whatever information is necessary to help the controller complete a DSAR (data subject access request).
  • Informing data subjects in advance if personal data is being transferred between jurisdictions.
The Trust Challenge

Key Challenges in brief:

  • Under the ISO 27701, the data controller has to maintain the following key records, amongst others.
    • Personal data collected (“Data Inventory”)
    • Retention period for the personal data (“Data Minimization”)
    • Rights and methods in accessing the personal data (“Data Subject Rights”)
  • Organizations share the user data with various third parties, during the course of its business.
  • Organizations need to have knowledge of their entire "Data Footprint" to facilitate implementation of the ISO 27701.
  • Manually managing data mapping and inventory to adhere to CPA requirements is costly and time-consuming, but must be done within the stipulated period or the organization opens itself to sanctions.
  • Lack of provision or process to delete the data, despite the fact that the ISO 27701 mandates data deletion when the lawful basis for processing expires.
  • Organizations lack the mechanism of validating the permanent deletion of the data.
  • Too many regulatory requirements to juggle

    Using ISO 27701 as a unified system of data privacy operational control removes the need to focus on multiple regulations. As an international standard, ISO 27701 is designed to meet the requirements of data protection and GDPR, and to be flexible enough to be adapted to specific industry requirements. This enables companies to work within a single framework in meeting multiple regulatory requirements.
  • Too costly to audit regulation-by-regulation

    Internal and external auditors use ISO 27701 to determine regulatory compliance in one single audit cycle. This saves the organisation money compared to following a disjointed regulation-by-regulation audit process.
  • Promises of compliance without proof is potentially risky

    It is not enough for companies to follow best practice data privacy processes; they must also be able to prove compliance with laws and regulations. That means having a robust, integrated process for documentation. Businesses with complex processes may have multiple types of data controller and data processor, cloud providers and partner vendors. Inability to prove compliance with laws or regulations in any part of the supply chain could expose the business to financial and reputational risk.
Win-Win Situation

Solutions

Pointer

Data discovery, inventory and mapping: Our AI-based, patented solution, TurtleShield PI (Privacy Intelligence) discovers all personal and sensitive data in structured and unstructured data systems across on-premises and multi-cloud environments.
TurtleShield DI (Data Inventory) enables organizations to inventory & map their entire “Data footprint”, enabling them to protect what matters the most.

Pointer

Third party Privacy Intelligence (monitors third party sharing): Often there are silos within entities or business and IT teams and it is challenging to get a full picture of data going outside organization and which is coming into organization, especially when data is shared with third parties, vendors, business partners and much more. Our TurtleShield PI (Privacy Intelligence) creates a data map based on your “data sharing”, to facilitate you to take action on it.

Pointer

Data Minimization: TurtleShield DM (Data Minimization) helps businesses minimize excess data and adhere to data minimization principle. This is data hygiene control and we are approaching it from a risk reduction and compliance perspective. We scan large data sets to scan for excess data using Machine Learning and find out excess data including personal data. This can eliminate operational inefficiencies and save cost by removing the unwanted data and legal cost of having it with respect to regulatory compliance.

Pointer

Right to be Forgotten (RTBF) with Assured Deletion: With TurtleShield RTBF (Right to Be Forgotten) provides the businesses the capabilities to comply with mandatory deletion of personal data by providing the capabilities to delete the data on request along with the validation of the deletion.

Pointer

Enable Data subject rights with cost savings and compliance in totality: Search capability in large datasets to fulfill data subject requests in totality and at rapid space. Assumption that data only exists in databases and nowhere else is often not reality as customer data exists in many sources. Using Machine learning and AI we crawl across data sources and predict where PII can exist.

Featured News & Blogs

Be the first to catch our latest updates,
happenings and more.

Follow us