Consent and Compliance with the LFPDPPP: A Perspective Based on ISO/IEC 27701 and 27560

1. Introduction

In today’s digital age, the management of personal data is a cornerstone of trust and business legitimacy. Informed and verifiable consent serves as the indispensable legal basis for the lawful processing of this information. In Mexico, the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) establishes the legal framework for obtaining and managing consent. At the same time, at the international level, standards such as ISO/IEC 27701 and the recent ISO/IEC TS 27560 complement and strengthen this framework. This article aims to analyze the convergence of these regulations and propose best practices for robust and efficient consent management.

2. Legal and Regulatory Basis

To understand the importance of harmonizing these frameworks, it is essential to analyze their individual foundations and the specific features each one brings to consent management.

2.1. LFPDPPP: The Mexican Legal Framework

The LFPDPPP is the cornerstone of personal data protection in Mexico for the private sector. With regard to consent, this law is clear and strict:

• Verifiable prerequisite: This provision establishes that, with very specific exceptions, the processing of personal data requires the consent of the data subject. This consent must be informed, freely given, specific, and verifiable, which means that organizations must be able to demonstrate that it was obtained lawfully.
• Information: It requires the inclusion of a Privacy Notice that informs the data subject of the identity of the data controller, the purposes of the processing, the options and means available to limit the use or disclosure of their data, and how to exercise their ARCO rights. The clarity and accessibility of this notice are key to obtaining informed consent.
• Security measures and compliance documentation: The LFPDPPP requires the implementation of administrative, physical, and technical security measures to protect personal data. In addition, the data controller must document and demonstrate compliance with its obligations, which includes the proper management of consent records.

2.2. ISO/IEC 27701: Privacy Management

ISO/IEC 27701:2019 is not a law, but an international standard that provides a framework for information privacy management (PIMS), extending the requirements of ISO/IEC 27001 (Information Security Management Systems, ISMS). This standard provides for:

• Specific privacy controls: Adds a set of detailed consent-based controls.
• Definition of roles and responsibilities: The standard emphasizes the importance of establishing clear roles and responsibilities within the organization regarding the protection of personal data, including those responsible for obtaining and managing consent.

2.3. ISO/IEC TS 27560: The Structure of Consent

ISO/IEC TS 27560:2023 is a technical specification that focuses on the informational structure of consent records and receipts issued to the data subject. Its primary objective is to improve the interoperability and traceability of consent through a standardized format.

• Improved traceability and interoperability: By standardizing the structure of the registry, it becomes easier to exchange consent information between different systems and organizations, which is crucial in ecosystems where multiple companies interact. It also enables more efficient auditing and better demonstration of compliance.

Continue reading in the second part of this article, where we will explore the synergies between these frameworks and practical recommendations for their implementation.