Authors:
(1) Harshvardhan J. Pandit, ADAPT Centre, Dublin City University, Dublin, Ireland, and Cybersecurity and Data Protection Group, National Standards Institute, Ireland (me@harshp.com)
(2) Jan Lindquist, Privacy and Security Group, Institute for Standards, Sweden (jan@linaltec.com);
(3) Georg P. Krog, Signatu AS, Oslo, Norway (georg@signatu.com). Authors: Authors: (1) Harshvardhan J. Pandit, ADAPT Centre, Dublin City University, Dublin, Ireland, and Cybersecurity and Data Protection Group, National Standards Institute, Ireland (me@harshp.com) (2) Jan Lindquist, Privacy and Security Group, Institute for Standards, Sweden (jan@linaltec.com); (3) Georg P. Krog, Signatu AS, Oslo, Norway (georg@signatu.com). Table of Links Abstract and 1 Introduction Abstract and 1 Introduction 2 Overview of ISO/IEC TS 27560:2023 2 Overview of ISO/IEC TS 27560:2023 3 Comparing ISO-27560, ISO-29184, and GDPR 3 Comparing ISO-27560, ISO-29184, and GDPR 4 Consent Records and Receipts using DPV 4 Consent Records and Receipts using DPV 5 Supporting GDPR and DGA 5 Supporting GDPR and DGA 6 Implementation Considerations and Future Work 6.1 Trust and Security 6.1 Trust and Security 6.2 Using Records and Receipts with eIDAS and EUDI Wallet 6.2 Using Records and Receipts with eIDAS and EUDI Wallet 6.3 Standard for PII Processing Record Information and 6.4 Technical Considerations in Managing Records and Receipts 6.3 Standard for PII Processing Record Information and 6.4 Technical Considerations in Managing Records and Receipts 6.5 IEEE P7012 Machine-Readable Privacy Terms 6.5 IEEE P7012 Machine-Readable Privacy Terms 7 Conclusion and References 7 Conclusion and References A Example of Consent Record with both required and optional fields A Example of Consent Record with both required and optional fields B Example of Consent Receipt with required fields from consent record B Example of Consent Receipt with required fields from consent record 3 Comparing ISO-27560, ISO-29184, and GDPR ISO-27560 uses prior terminology established in ISO standards, primarily defined in ISO/IEC 29100:2011 Privacy Framework [4]. To support readers unfamiliar with the ISO terminology, table 1 provides a mapping between ISO-29100 and GDPR terminology regarding the fundamental concepts associated with personal data processing. Note that this mapping only provides relevant concepts and does not indicate that the concepts are interpreted in the exact same way - for example Sensitive PII in ISO terminology is similar to Special Category personal data under GDPR, but they cannot be used interchangeably. Therefore, when applying ISO standards to GDPR, such mappings are indicative of which concepts should be (re-)interpreted with GDPR’s definitions and requirements. In prior work [13], we analysed and compared ISO-29184 requirements for notice and consent with those in GDPR to understand the extent to which ISO-29184 standard can be applied to demonstrate compliance with the requirements of the GDPR. We also explored the possibility of using ISO-29184 certifications under GDPR for consent and notice. In continuation of that work, table 2 compares ISO-27560 for consent information and ISO-29184 for privacy notice information with the requirements under GDPR to provide a holistic view of how the two standards can be used to address GDPR’s requirements. In this, it is important to note that unlike ISO-29184 which is an international standard, ISO-27560 is what ISO terms a Technical Specification (TS) which only provides guidance and is intended to obtain feedback to create a (future) international standard. This paper is available on arxiv under CC BY 4.0 DEED license. This paper is available on arxiv under CC BY 4.0 DEED license. available on arxiv

Part of HackerNoon's growing list of open-source research papers, promoting free access to academic material.

Aptos

The Great Privacy Comparison: ISO Standards Take on Europe's GDPR Requirements

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Analysis of ISO/IEC TS 27560:2023 for GDPR Compliance Using Data Privacy Vocabulary

New ISO Standard Revolutionizes How Organizations Track Digital Consent

10 Ways to Reduce Data Loss and Potential Downtime Of Your Database

10 Threats to an Open API Ecosystem

10 Secure Online Applications in 2021: No More Spy Spps and Hacker Attacks

Analysis of ISO/IEC TS 27560:2023 for GDPR Compliance Using Data Privacy Vocabulary

New ISO Standard Revolutionizes How Organizations Track Digital Consent

10 Ways to Reduce Data Loss and Potential Downtime Of Your Database

10 Threats to an Open API Ecosystem

10 Secure Online Applications in 2021: No More Spy Spps and Hacker Attacks

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps