Search
SOLUTIONS
SERVICES
CAMPAIGNS
TECHNOLOGY
INSIGHTS
COMPANY
OUR WORK
OUR WORK
CONTACT
CONTACT
Technology

Why iDX Is ISO 27701 Compliant

September 27, 2023 | by Albert Jesupaul
  1. Home
  2. Blog
  3. Technology
  4. Why iDX Is ISO 27701 Compliant
Navigate the Complex World of Consumer Privacy Laws in the US with Our Expert Insights. Protect Your Business and Stay Compliant.

Buckle up: consumer privacy laws are proliferating across the United States. This is not always good news for businesses trying to navigate them because those laws are complex and not always clear. This blog post takes a closer look. 

A Flurry of Laws

Highly publicized consumer privacy laws in Europe (e.g., GDPR) and the United States (most notably, the California Consumer Privacy Act) have unleashed a flurry of consumer privacy laws across the United States. Privacy laws in the pipeline at the state level range from the Texas Data Privacy and Security Act (effective in 2024) to the Indiana Consumer Data Protection Act (Effective from 2026). In fact, there are so many U.S. privacy laws either passed or in progress that the U.S. State Privacy Legislation Tracker has been kept busy following them all

The State of Consumer Data Privacy Laws in the US (And Why It Matters) | Wirecutter (nytimes.com)

The Challenge

Privacy laws exist to protect consumers. At the same time, this legislation can impose myriad burdens on businesses as they try to ensure they are compliant with a patchwork quilt of laws from one state to the next.

Any business (such as ours) that designs, builds, and manages web sites -- and provides tools and feeds to support client needs encounters a variety of data on a daily basis. In an ever-changing landscape of privacy regulations, it becomes more and more difficult to ensure compliance.

It's relatively simple for a business to ensure compliance with consumer privacy regulations when managing a web form -- for example, a website asks the users to sign-up for a newsletter or an alert or allowing the users to submit their questions or comments. The user is presented with a privacy policy that states how the information they share will be used, and an explicit consent is sought. This is also true for most of the trackers which tracks the person and pushes advertisements.

But matters become complicated when you consider protecting privacy in context of IP (Internet Protocol) addresses. An IP address is a unique string of characters that identifies each computer using the Internet Protocol to communicate over a network. Every device (like your computer or smartphone) has a unique IP address. The internet uses the IP address to deliver data to the correct device. Put another way, an IP address is like a home address for your device on the internet, helping information find its way to the right destination.

Is it a violation of privacy laws to gather IP addresses? This is a complex question. There is no easy answer, as the answer may vary depending on the specific context in which the IP address is being used. In the past, the EU courts have ruled that an IP address is a Personally Identifying Information (PII) as it could help tracking to a specific individual when combined with the information the Internet Service Provider (ISP) might have about the user. In other words, collecting IP addresses is a violation of consumer privacy law. But, what happens when a user sits at a corporate network and connects to an Internet website through proxies or firewalls (which mask/hide the original IP address) and the ISP itself might see only the masked IP address?

The question about whether IP addresses constitute PII and are therefore considered off limits for collecting affects lead generation tools. These tools rely on IP address information to trace and report from which company a specific user is accessing the site. Most vendors who supply such tools claim that their scripts are not able to identify any individual users. While such scripts can be used to determine the IP address of the website visitor, those tools use it to match the IP address with a company name (if publicly available) and resolve the geographical location of the visitor. And, though the IP address is used to perform the matching, the IP address is not stored permanently in any of their servers. IP address to a company name resolution is available publicly through tools like Whois.

Moreover, such tools don't track whether the IP address comes from a users workstation or the firewall or proxy that masks it. If a product collecting IP address is not in compliance with privacy regulations, by a broader stroke, every computer operating system will be non-compliant too (as most systems track IP addresses and use them as part of their event logging and monitoring.)

To appreciate how difficult and tangled the above scenario is for a business, consider the logic in this assumption: 

  • Killing a living being is illegal.
  • Animals are living beings.
  • Human beings kill some animals for food.
  • So, are people eating meat performing an illegal act? 

The point is that no proper guidance around the implementation of these privacy laws, and some privacy warriors try to twist it to their own benefits and get some mileage out of them. The devil is in the details, and we can't make any global assumptions when it comes to privacy and privacy regulations.

Our Approach

The following principles should lie at the heart of the companys approach to collecting and processing personal data:

  • Lawfulness, fairness, and transparency (demonstrated through the privacy policy, cookie policy, etc.).
  • Purpose limitation (data is collected only for a specific purpose and will not be used for other purposes).
  • Data minimisation (collecting only the minimum necessary amount of data).
  • Accuracy (there will be validation to ensure the accuracy of the data).
  • Storage limitation (the data will be stored only for the duration of its purpose and will be disposed after that).
  • Integrity and confidentiality (security). Confidentiality, integrity, and availability controls are in place.
  • Accountability (data owners are assigned who are accountable for the data throughout its lifecycle).

iDX used to get GDPR compliance certification (through Bureau Veritas) in the past. With the ongoing saga of privacy laws mushrooming, doing so neither scalable nor feasible. Instead, we have found ISO27701 to be very comprehensive and efficient.

ISO 27701 is an international standard that specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS) such as ours. It is an extension of the ISO 27001 information security management standard, and includes a set of privacy-specific requirements, controls, and control objectives.

ISO certifications are industry standard and well-recognized around the world. So, just like we certify our information security through ISO27001, we are certifying our privacy controls through ISO27701.

When we are certified for ISO27701, we are sure that we are meeting all privacy requirements in whatever we do. This reduces the burden of being compliant with individual regulations and getting ready for future ones. This certification is an easier way of telling anyone that we treat privacy seriously and ensuring it in all our processes. So, no matter how many privacy laws arise in the United States, we don't have to do anything differently to be compliant. It simplifies our lives and it gives better assurance to our clients.

ISO27701 helps a company like ours stay in compliance with various privacy regulations (especially the growing number of statutory legislations mushrooming across the United States.) As ISO27701 built on the industry standard ISO27001 Information Security Management System (ISMS), it helps a company to incorporate privacy into every control, thus addressing the different requirements of these privacy regulations.

Having Privacy Information Management System (PIMS) in place is a sign that the personal data of a clients users is in safe hands. In addition, ISO27701 compliance demonstrates that a business like ours will follow new regulations and requirements. That's because the ISO27701 certification involves annual audits and surveillance audits, and the controls will be maintained on a continuous basis.

iDX's ISO27701 certification a major differentiator when it comes to privacy, and it surely gives us an edge over many of our competitors. When the clients data is in safer hands, their websites are -- and their future, too.

Our recently published white paper on Navigating the Landscape of Cybersecurity, Privacy, and Accessibility contains more insight into our thinking about consumer privacy. In addition, the iDX on-demand hosting platform is built from the ground up with security and data protection by design. Contact us to learn how we can help you.