Who's for a Pimms?

Within a year or so, organisations will be able to have their Privacy Information Management Systems certified compliant with ISO/IEC 27701, thanks to a new accreditation standard ISO/IEC TS 27006 part 2, currently in draft.

A PIMS is very similar to an Information Security Management System, hence compliance auditing and certification are also very similar – so much so that I’ve heard some certification bodies are already taking the initiative by issuing PIMS certificates despite their not being formally accredited for that.

Potentially, a PIMS certificate may become the generally-accepted means of demonstrating an organisation’s due care over privacy and personal data protection – a way to assure data subjects, business partners, the authorities and courts that they have, in fact, adopted good privacy practices. 

A PIMS should materially reduce an organisation’s risk of suffering privacy breaches.   However, as with an ISMS, ‘materially reduce’ is not quite the same as ‘eliminate’.  In the less likely event that a privacy breach occurs, despite having a PIMS, compliance certificates for the organisation and if appropriate its information service suppliers (e.g. cloud or marketing services) may be a credible part of the organisation’s legal defence against prosecution under GDPR or other privacy laws and regs, but they would still need to explain why the breach occurred and what they have fixed to prevent a recurrence.  The PIMS should at least structure the response to the breach, including corrective actions addressing the root causes, hence there should be something substantial behind the usual vacuous PR statements about ‘taking this matter very seriously’.