Why taking a systematic approach to privacy management works?

An ISO 27701 compliant management systems help organizations better meet regulatory requirements and mitigate human error. Companies going down this route are better equipped to manage legal risks and ensure a sound security culture.

Regulation such as Europe’s GDPR truly put privacy information management on every corporate agenda in 2018. Individual ownership of personal data was emphasized and companies across the globe forced to protect this right in a legally compliant way.

Consistently protecting personal data continues to challenge companies. A recent Espresso survey by DNV revealed that maturity has only slightly increased since the comparable 2019 survey. When GDPR was implemented 4 years ago, companies were scrambling to ensure compliance. It seems this may have remained the main angle for many companies.  However, approaching privacy information management from a legal perspective only could be very limiting.

People main source of risk

Companies in the survey indicated human error as the main source of risk (44.5%). It is followed by lack of awareness among employees or poor organizational culture (27.7%) and lack of legal competence/interpretation of legal requirements (25.3%). Concern over organizational, cultural and competence issues, rather than external threats is not necessarily very different from the picture painted in the 2019. However, there is a shift in actions from IT to people. In 2019, IT security enhancement was the primary investment area, it has now been surpassed by staff training and awareness. This is prioritized by almost 1 in 2.

When human error and lack of awareness are considered major risks, it often means that effective culture building has not taken place. This could easily be mitigated by implementing a formal management system assurance model. Every organization experience transitory resources due to attrition and hiring of new resources, for example. This requires training of new or awareness refresh of existing staff at regular intervals.

Building a consistent security culture

This need can best be met through a management system model based on the best practice captured in the privacy information management system standard ISO 27701. The standard sets forth specific requirements on regular training and awareness to ensure a consistent level throughout the organization. This leads to increased engagement and empowers employees to think in terms of “privacy”, helping them manage “uncertainty” related to privacy better. Experience from other areas, such as information security, has clearly demonstrated the ability of an organization to build and improve a security culture through the implementation of a management system.

In a multi-connected society, the threats to privacy span from information and cyber security to wrongful, even if unintentional, use or storage of data by the company itself or other legitimate actors. Rising on all corporate agendas as most companies seem at risk these days, IT security investments are essential. However, the weak point in the data chain is often the person using the information and the devices or software handling it. This underscores the strong need of regular training. It can be elearning, smaller training pills or more extensive training for all personnel involved in data management.

Systems drive a robust, reliable approach

Of course, there are other aspects that are important in addition to a compliant management system. For example, the presence of internal subject matter experts, properly trained, who are the focal point related to request or doubts among personnel are essential. Such experts can also help any company really expand the logic of privacy by design and default. It systematically ensures data security by implementing processes limiting collection and processing, ensuring quality, managing retention and disposal and controls during transmission of data at the design stage of any project or changes in how data is handled.

The DNV survey revealed a heavy investment by companies in training and awareness of staff to mitigate the risk of human error.  Investing in competence is always a constructive approach. We do see an opportunity for companies investing heavily in training to pair this with implementation of an ISO 27701 privacy information management system to get a more robust, resilient and reliable approach.

By Nanda kumar Shamanna, ICT Business Manager, DNV

  Espresso survey: Privacy information management - report

Espresso survey: Privacy information management - report

View the report: How are companies tackling enterprise risks?​

  Espresso survey: Privacy information management - infographic

Espresso survey: Privacy information management - infographic

View the infographic of our Espresso survey.

  Espresso survey: Privacy information management - video

Espresso survey: Privacy information management - video

Watch the video.


Information security & privacy management system

Discover our management system certifications.


Information security and IT service management training

Find out the courses we offer.