Skip to Main Content
Main Menu
Search Opener
Search Close
Contact us
Standard

ISO 27550

The International Organization for Standardization (ISO) 27550, focuses on security techniques, establishes engineering guidelines designed to help entities to incorporate privacy engineering elements into various system lifecycle processes.

Who should use ISO 27550?

This voluntary international standard is directed towards engineers and practitioners involved in the development, implementation or operation of systems that need privacy consideration. Managers responsible for privacy, development, product management, marketing, and operations also find this standard beneficial.

Key obligations of ISO 27550

Risk management processes

Conduct a risk management process to identify, assess, and remediate systematic risks throughout the entire lifecycle of a system product and/or service.

Similarly, a supplementary analysis risk activity should be performed to: identify risks associated with processing personally identifiable information (PII) as well as any vulnerabilities of systems processing PII, estimate the possibility and consequences of each identified risk, and evaluate and prioritize mitigating the identified risk.

Implementation of data management controls

Entities must establish system infrastructures that enable granular control over PII to implement key privacy principles such as maintaining data quality and integrity, achieving data minimization, and implementing individuals privacy preferences. There should also be system controls to enable certain privileged stakeholders to administer changes to PII management and processing, and the fair treatment of individuals.

Safeguarding individual identities via disassociability

Disassociability is a method to actively conceal an individuals’ identity and/or activities from unnecessary exposure during processing or transactions involving PII. Disassociability can be achieved through deploying cryptographic techniques, including: anonymity, de-identification, unlinkability, unobservability, and pseudonymity.

Transparency

Provide individuals with information regarding the entire system lifecycle that covers actual and planned processing activities, including: why PII is needed for processing, the purpose of processing, and whether PII will be disclosed to third-parties.

Whitepaper

Privacy and Data Security in Mergers & Acquisitions

Data can be a valuable asset or an incredible liability to your business. Proactive data privacy practices are strategically critical in this data economy because of the extreme cost of mistakes today.

Achieve compliance

PrivacyCentral

Privacy program development and compliance management

Automatically identify gaps and track compliance with PrivacyCentral for PC DSS v4.0, SOC2, ISO (e.g. 27701, 31700-01, 27550, etc.), NIST, and other privacy and security standards.
Nymity Research

Guidance and operational templates

Stay ahead of framework changes with expert guidance, ensuring your security and program practices remain compliant and up to date. Operationalize quickly with expert written operational templates for sample policies, checklists, training, and more.

Data Inventory Hub & Risk Profile

Complete risk management process

Automate your data inventory mapping with TrustArc’s Data Inventory Hub. Save time and reduce risk with automated data flow mapping, risk analysis, and remediation for personal data processes and general activities associated.
Assessment Manager

Mitigate risks

Use pre-built DPIAs, risk, and vendor assessments to mitigate risks with TrustArc’s Assessment Manager.

FAQs

  • What are the data subject rights that I must comply with?

    ISO 27550 does not establish explicit requirements for entities to comply with data subject rights. However, entities are required to develop system functionalities that enable individuals to control their PII and privacy preferences, and intervene in all privacy related data processing activities (e.g. request for data erasure and withdraw consent to processing).

  • Is there an obligation to obtain consent from individuals prior to collecting their PII?

    No, ISO 27550 does not provide explicit obligations to seek consent prior to collecting and processing PII. However, as a best practice, entities should comply with relevant data protection and consent obligations in the jurisdiction where processing will take place.

  • Do I need to designate an internal data protection officer?

    ISO 27550 does not establish explicit requirements for entities to designate a data protection officer. However, entities are required to create a point of contact with supervisory authorities who can intervene in data processing activities by requesting or enforcing the blocking, erasure or destruction of data or even shutting off the system.

Related Resources

The information provided does not, and is not intended to, constitute legal advice. Instead, all information, content, and materials presented are for general informational purposes only.

Back to Top