I spied this on my IAPP feed — it appears that someone at Microsoft had created an open source tool to map privacy laws to the ISO/IEC 27701… and then to other privacy laws. It includes the ever popular GDPR, the fancy new kid CCPA, but it includes laws that are further left field — like the Singapore PDPA.

You can check it out here.

Let’s give it a spin!#

Starting with the filter tab, you can click the + button to add a law you would like to reference. Let’s do Singapore. Expand the sections and it pops out:

Let’s go for the obligation regarding international transfers of personal data in the PDPA (aka the Transfer Limitation Obligation). The node turns yellow and you can now see arrows pointing to relevant sections in the ISO.

Now let’s see where it goes in Australia. Click Australia at the + buttn you previously used to select Singapore. Now the arrows fly down under! If you click on one of the provisions in the ISO, you can find a similar provision in the Australia Privacy Principles — APP 5.2(j)!

So what’s the point?!#

It’s a point not mentioned often, but figuring out which laws apply and how they apply is one of the most difficult aspects of a privacy management program. If you come from the EU, you might be able to strut your stuff since the GDPR is the gold standard. However, if you come from Singapore, you would be torn between complying with something like the PDPA and aspiring to be among the best with the GDPR. Knowing where the relevant sections of the laws as they compare to your own will be very helpful.

This is especially important for laws which aren’t really well known like the PDPA. Life’s too short to memorise more than a couple of pieces of privacy legislation. Having a compass will be very helpful.

Of course, the tool has its limitations. The laws are looked through the prism of the ISO standard. This makes the mapping easier to implement, but I think it tends to be over-inclusive. This tool also covers legislation, which doesn’t necessarily reflect practice as you go further in the international realm. Like I said, it’s a compass, study and experience are still relevant.

Oh and I don’t like that they store their information in xslx. It ain’t git friendly! You can’t complain about something that is free and open source though.

So did you find this tool useful? Are there other ways you can use a tool that maps privacy laws around the world? Feel free to comment to let me know!