Part 2: Consent and Compliance with the LFPDPPP: A Perspective Based on ISO/IEC 27701 and 27560

1. Introduction

Following on from the first part of this article, we will explore how the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP), the ISO/IEC 27701 standard, and the ISO/IEC TS 27560 technical specification not only coexist but also reinforce one another to enable more robust consent management. We will analyze their points of connection and offer practical recommendations for their implementation in organizational settings.

2. Synergies for Compliance

The true strength of these frameworks lies in their critical connection points, where they reinforce one another to build a robust consent management system.

2.1. Consent as a Unified Legal Basis

The three frameworks share the premise that consent is an essential legal basis for the processing of personal data, especially for data that does not fall under other legitimate bases (e.g., contract, legitimate interest).

• The LFPDPPP establishes the fundamental legal requirement.
• ISO/IEC 27701 provides management controls to ensure that this requirement is consistently met.
• ISO/IEC TS 27560 adds a layer of detail by requiring structured requirements for the recording of consent. This includes, for example, the need for unique identifiers for each instance of consent.

2.2. Information and Security Measures as Mechanisms for Accountability

Information and security measures are essential for effective accountability.

• The LFPDPPP requires that a clear and comprehensive Privacy Notice be made available.
• ISO/IEC 27701 and ISO/IEC TS 27560 take this a step further by requiring organizations to document and retain the exact versions of the privacy notices that were presented to the data subject at the time consent was obtained.

This is fully in line with the accountability principle of the LFPDPPP, which requires data controllers to demonstrate that they have taken the necessary measures to protect personal data.

2.3. Rights of the Data Subject and the “Consent Receipt”

The exercise of data subjects' rights is a central pillar of personal data protection.

• The LFPDPPP refers to these as ARCO rights.
• ISO/IEC TS 27560 formalizes the concept of a “consent receipt.” This mechanism allows the data subject to retain a verifiable and structured copy of the consent they have provided, including the essential details of that consent. This receipt not only serves as evidence for the data subject but also strengthens and facilitates the exercise of ARCO rights by providing the data subject with a clear and verifiable record of their consent, which can streamline requests for access, rectification, or revocation.

2.4. Security, Integrity, and Preservation

Safeguarding the consent record itself is just as important as obtaining consent in the first place.

• ISO/IEC TS 27560 requires integrity controls for consent records, using unique identifiers and information structure models that make it difficult to alter them. This ensures that the consent record cannot be modified after it has been obtained.
• ISO/IEC 27701 complements this by providing robust technical and governance controls for information security.
• The LFPDPPP establishes the obligation to implement security measures for personal data, and this, by extension, includes the protection of consent records. Proper retention of these records is essential for demonstrating compliance over time.

3. Harmonization of Frameworks: Practical Recommendations for Implementation

The integration of the LFPDPPP, ISO/IEC 27701, and ISO/IEC TS 27560 requires a systematic approach and the implementation of specific practices. Below are some key recommendations for achieving this harmonization:

✔️ Implement structures in accordance with ISO/IEC TS 27560: Organizations must align their consent record systems with the sections and fields required by ISO/IEC TS 27560. This standardization not only improves traceability but also facilitates interoperability with other platforms or services.

✔️ Versioning notices and documenting their presentation: It is essential to maintain a detailed record of all versions of the Privacy Notice that were made available. Each consent record must include a precise reference to the exact version of the Privacy Notice that was accepted by the data subject, as well as the date, time, channel, and method of acceptance (e.g., clicking a checkbox, electronic signature).

✔️ Issue consent receipts to data subjects: Develop or adapt systems to issue “consent receipts” to data subjects, following the structure and content defined by ISO/IEC TS 27560. These receipts must be easily accessible and verifiable by the data subject, serving as evidence of their consent and facilitating the exercise of their ARCO rights.

✔️ Verify the integrity and traceability of records: Establish procedures to periodically validate that stored consent records maintain their integrity and validity and comply with their defined structures.

4. Conclusions

The convergence of the LFPDPPP, the ISO/IEC 27701 standard, and the ISO/IEC TS 27560 technical specification offers a unique opportunity to enhance the maturity of consent management within organizations. By integrating these frameworks, companies can go beyond mere legal compliance and adopt a proactive approach to privacy.

Ultimately, integrating these frameworks is not only a recommended practice from a technical or regulatory standpoint, but also a fundamental strategy for governance and transparency.

References:

• Federal Law on the Protection of Personal Data Held by Private Parties (Mexico).
• ISO/IEC 27701:2019, Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management.
• ^{ISO/IEC 1} TS 27560:2023, Privacy technologies — Information structure for consent records.