How to Demonstrate Compliance With GDPR Article 5

Information Transfer

ISO 27701 Clause 6.10.2.1 (Information Transfer Policies and Procedures) and EU GDPR Article 5 (1)(f)

Information transfer operations should:

• Focus on controls that prevent the interception, unauthorized access, copying, modification, misrouting, destruction and denial of service of PII and privacy-related information (see ISO 27002 Control 8.24).
• Ensure that information is traceable.
• Categorise a list of contacts – i.e. owners, risk owners etc.
• Outline responsibilities in the event of a security incident.
• Include clear and concise labelling systems (see ISO 27002 Control 5.13).
• Ensure a reliable transfer facility, including topic-specific policies on the transfer of data (see ISO 27002 Control 5.10).
• Outline retention and disposal guidelines, including any region or sector-specific laws and guidelines.

Electronic Transfer

When utilising electronic transfer facilities, organisations should:

1. Attempt to detect and protect against malicious programs (see ISO 27002 Control 8.7).
2. Focus on protecting attachments.
3. Take great care in sending information to the correct address.
4. Mandate for an approvals process, before employees are able to transmit information via ‘external public services’ (e.g. instant messaging), and exercise greater control over such methods.
5. Avoid using SMS services and fax machines, where possible.

Physical Transfers (Including Storage Media)

When transferring physical media (including paper documents) between premises or external locations, organisations should:

• Outline clear responsibilities for despatch and receipt.
• Take great care inputting the correct address details.
• Use packaging that offers protection from physical damage or tampering.
• Operate with a list of authorised couriers and third party despatchers, including robust identification standards.
• Keep thorough logs of all physical transfers, including recipient details, dates and times of transfers, and any physical protection measures.

Verbal Transfers

Verbally conveying sensitive information presents a unique security risk, particularly where PII and privacy protection is concerned.

Organisations should remind employees to:

1. Avoid having such conversations in a public place, or unsecured internal location.
2. Avoid leaving voicemail messages that contain sensitive or restricted information.
3. Ensure that the person they are speaking to is of an appropriate level to receive said information, and inform them of what is going to be said prior to divulging information.
4. Be mindful of their surroundings and ensure that room controls are adhered to.

Additional UK GDPR Considerations

• Article 5 – (1)(f)

Supporting ISO 27002 Controls

• ISO 27002 5.13
• ISO 27002 8.7
• ISO 27002 8.24

ISO 27701 Clause 6.10.2.4 (Confidentiality or Non-disclosure Agreements) and EU GDPR Article 5 (1)

Organisations should utilise non-disclosure agreements (NDAs) and confidentiality agreements to protect the wilful or accidental divulgence of sensitive information to unauthorised personnel.

When drafting, implementing and maintaining such agreements, organisations should:

• Offer a definition for the information that is to be protected.
• Clearly outline the expected duration of the agreement.
• Clearly state any required actions, once an agreement has been terminated.
• Any responsibilities that are agreed by confirmed signatories.
• Ownership of information (including IP and trade secrets).
• How signatories are allowed to use the information.
• Clearly outline the organisation’s right to monitor confidential information.
• Any repercussions that will arise from non-compliance.
• Regularly reviews their confidentiality needs, and adjust any future agreements accordingly.

Confidentiality laws vary from jurisdiction to jurisdiction, and organisations should consider their own legal and regulatory obligations when drafting NDAs and confidentiality agreements (see ISO 27002 Controls 5.31, 5.32, 5.33 and 5.34).

Supporting ISO 27002 Controls

• ISO 27002 5.31
• ISO 27002 5.32
• ISO 27002 5.33
• ISO 27002 5.34

System Acquisition Development & Maintenance

ISO 27701 Clause 6.11.1.2 (Securing Application Services on Public Networks) and EU GDPR Article 5 (1)(f)

Application security procedures should be developed alongside broader privacy protection policies, usually via a structured risk assessment that takes into account multiple variables.

Application security requirements should include:

1. The levels of trust inherent within all network entities (see ISO 27002 Controls 5.17, 8.2 and 8.5).
2. The classification of data that the application is configured to process (including PII).
3. Any segregation requirements.
4. Protection against internal and external attacks, and/or malicious use.
5. Any prevailing legal, contractual or regulatory requirements.
6. Robust protection of confidential information.
7. Data that is to be protected in-transit.
8. Any cryptographic requirements.
9. Secure input and output controls.
10. Minimal use of unrestricted input fields – especially those that have the potential to store personal data.
11. The handling of error messages, including clear communication of error codes.

Transactional Services

Transactional services that facilitate the flow of privacy data between the organisation and a third party organisation, or partner organisation, should:

• Establish a suitable level of trust between organisational identities.
• Include mechanisms that check for trust between established identities (e.g. hashing and digital signatures).
• Outline robust procedures that govern what employees are able to manage key transactional documents.
• Contain document and transactional management procedures that cover the confidentiality, integrity, proof of dispatch and receipt of key documents and transactions.
• Include specific guidance on how to keep transactions confidential.

Electronic Ordering and Payment Applications

For any applications that involve electronic ordering and/or payment, organisations should:

• Outline strict requirements for the protection of payment and ordering data.
• Verify payment information before an order is placed.
• Securely store transactional and privacy-related data in a way that is inaccessible to the public.
• Use trusted authorities when implementing digital signatures, with privacy protection in mind at all times.

Supporting ISO 27002 Controls

• ISO 27002 5.17
• ISO 27002 8.2
• ISO 27002 8.5

ISO 27701 Clause 6.11.3.1 (Protection of Test Data) and EU GDPR Article 5 (1)(f)

Organisations should carefully select test data to ensure that testing activity is both reliable, and secure. Organisations should pay extra attention to ensuring that PII is not copied into the development and testing environments.

In order to protect operational data throughout testing activities, organisations should:

1. Utilise a homogenous set of access control procedures across testing and operational environments.
2. Ensure that authorisation is required every time operational data is copied to a test environment.
3. Log the copying and use of operational data.
4. Safeguard privacy information through techniques such as masking (see ISO 27002 Control 8.11).
5. Removing operational data from a testing environment, once it’s no longer needed (see ISO 27002 Control 8.10).
6. Securely store test data, and ensure that employees are aware that it is only to be used for testing purposes.

Supporting ISO 27002 Controls

• ISO 27002 8.10
• ISO 27002 8.11

Supplier Relationships

ISO 27701 Clause 6.12.1.2 (Addressing Security Within Supplier Agreements) and EU GDPR Article 5 (1)(f)

When addressing security within supplier relationships, organisations should ensure that both parties are aware of their obligations towards privacy information security, and one another.

In doing so, organisations should:

• Offer a clear description that details the privacy information that needs to be accessed, and how that information is going to be accessed.
• Classify the privacy information to be accessed in accordance with an accepted classification scheme (see ISO 27002 Controls 5.10, 5.12 and 5.13).
• Give adequate consideration to the suppliers own classification scheme.
• Categorise rights into four main areas – legal, statutory, regulatory and contractual – with a detailed description of obligations per area.
• Ensure that each party is obligated to enact a series of controls that monitor, assess and manage privacy information security risk levels.
• Outline the need for supplier personnel to adhere to an organisation’s information security standards (see ISO 27002 Control 5.20).
• Facilitate a clear understanding of what constitutes both acceptable and unacceptable use of privacy information, and physical and virtual assets from either party.
• Enact authorisation controls that are required for supplier-side personnel to access or view an organisation’s privacy information.
• Give consideration to what occurs in the event of a breach of contract, or any failure to adhere to individual stipulations.
• Outline an Incident Management procedure, including how major events are communicated.
• Ensure that personnel are given security awareness training.
• (If the supplier is permitted to use subcontractors) add in requirements to ensure that subcontractors are aligned with the same set of privacy information security standards as the supplier.
• Consider how supplier personnel are screened prior to interacting with privacy information.
• Stipulate the need for third-party attestations that address the supplier’s ability to fulfil organisational privacy information security requirements.
• Have the contractual right to audit a supplier’s procedures.
• Require suppliers to deliver reports that detail the effectiveness of their own processes and procedures.
• Focus on taking steps to affect the timely and thorough resolution of any defects or conflicts.
• Ensure that suppliers operate with an adequate BUDR policy, to protect the integrity and availability of PII and privacy-related assets.
• Require a supplier-side change management policy that informs the organisation of any changes that have the potential to impact privacy protection.
• Implement physical security controls that are proportional to the sensitivity of the data being stored and processed.
• (Where data is to be transferred) ask suppliers to ensure that data and assets are protected from loss, damage or corruption.
• Outline a list of actions to be taken by either party in the event of termination.
• Ask the supplier to outline how they intends to destroy privacy information following termination, or of the data is no longer required.
• Take steps to ensure minimal business interruption during a handover period.

Organisations should also maintain a register of agreements, that lists all agreements held with other organisations.

Supporting ISO 27002 Controls

• ISO 27002 5.10
• ISO 27002 5.12
• ISO 27002 5.13
• ISO 27002 5.20

Information Security Incident Management & Compliance

ISO 27701 Clause 6.13.1.1 (Responsibilities and Procedures) and EU GDPR Article 5 (1)(f)

Roles and Responsibilities

In order to create a cohesive, highly functioning incident management policy that safeguards the availability and integrity of privacy information during critical incidents, organisations should:

• Adhere to a method for reporting privacy information security events.
• Establish a series of processes that manage privacy information security-related incidents across the business, including:
• Administration.
• Documentation.
• Detection.
• Triage.
• Prioritisation.
• Analysis.
• Communication.
• Draft an incident response procedure that enables the organisation to assess, respond to and learn from incidents.
• Ensure that incidents are managed by trained and competent personnel who benefit from ongoing workplace training and certification programmes.

Incident Management

Staff involved in privacy information security incidents should understand:

1. The time it should take to resolve an incident.
2. Any potential consequences.
3. The severity of the incident.

When dealing with privacy information security events, staff should:

• Assess events in accordance with a strict criteria that validates them as an approved incidents.
• Categorise privacy information security events into 5 sub-topics:
• Monitoring (see ISO 27002 Controls 8.15 and 8.16).
• Detection (see ISO 27002 Control 8.16).
• Classification (see ISO 27002 Control 5.25).
• Analysis.
• Reporting (see ISO 27002 Control 6.8).
• When resolving privacy information security incidents, organisations should:
• Response and escalate issues (see ISO 27002 Control 5.26) in accordance with the type of incident.
• Activate crisis management and business continuity plans.
• Affect a managed recovery from an incident that mitigates operational and/or financial damage.
• Ensure thorough communication of incident-related events to all relevant personnel.
• Engage in collaborative working (see ISO 27002 Controls 5.5 and 5.6).
• Log all incident managed-based activities.
• Be responsible for the handling of incident-related evidence (see ISO 27002 Control 5.28).
• Undertake a thorough root cause analysis, to minimise the risk of the incident happening again, including suggested amendments to any processes.

Reporting activities should be centred around 4 key areas:

1. Actions that need to be taken once an information security event occurs.
2. Incident forms that record information throughout an incident.
3. End-to-end feedback processes to all relevant personnel.
4. Incident reports that detail what’s occurred once an incident has been resolved.

Supporting ISO 27002 Controls

• ISO 27002 5.25
• ISO 27002 5.26
• ISO 27002 5.5
• ISO 27002 5.6
• ISO 27002 6.8
• ISO 27002 8.15
• ISO 27002 8.16

ISO 27701 Clause 6.15.1.1 (Identification of Applicable Legislation and Contractual Requirements) and EU GDPR Article 5 (1)(f)

Organisations should conform to legal, statutory, regulatory and contractual requirements when:

• Drafting and/or amending privacy information security procedures.
• Categorising information.
• Embarking upon risk assessments relating to privacy information security activities.
• Forging supplier relationships, including any contractual obligations throughout the supply chain.

Legislative and Regulatory Factors

Organisations should follow procedures that allow them to identify, analyse and understand legislative and regulatory obligations – especially those that are concerned with privacy protection and PII – wherever they operate.

Organisations should be continually mindful of their privacy protection obligations whenever entering into new agreements with third-parties, suppliers and contractors.

Cryptography

When deploying encryption methods to bolster privacy protection and safeguard PII, organisations should:

1. Observe any laws that govern the import and export of hardware or software that has the potential to fulfil a cryptographic function.
2. Provide access to encrypted information under the laws of the jurisdiction they are operating within.
3. Utilise three key elements of encryption:
• Digital signatures.
• Seals.
• Digital certificates.

Supporting ISO 27002 Controls

• ISO 27002 5.20

ISO 27701 Clause 6.15.1.3 (Protection of Records) and EU GDPR Article 5 (2)

Organisations should consider record management across 4 key areas:

1. Authenticity.
2. Reliability.
3. Integrity.
4. Usability.

To maintain a functional records system that safeguards PII and privacy-related information, organisations should:

• Publish guidelines that deal with:
• Storage.
• Handling (chain of custody).
• Disposal.
• Preventing manipulation.
• Outline how long each record type should be retained.
• Observe any laws that deal with record keeping.
• Adhere to customer expectations in how organisations should handle their records.
• Destroy records once they’re no longer required.
• Classify records based on their security risk, e.g:
• Accounting.
• Business transactions.
• Personnel records.
• Legal.
• Ensure that they are able to retrieve records within an acceptable period of time, if asked to do so by a third party or law enforcement agency.
• Always adhere to manufacturer guidelines when storing or handling records on electronic media sources.

Mobile Devices and Teleworking

ISO 27701 Clause 6.3.2.1 (Mobile Device Policies) and EU GDPR Article 5 (1)(f)

Organisations should implement topic-specific policies that deal with different categories of endpoint devices and mobile device software versions, and how security controls should be tailored towards improve data security.

An organisation’s mobile device policy, procedures and supporting security measures should take into account:

• The different categories of of data that the device can both process and store.
• How devices are registered and identified on the network.
• How devices are going to be physically protected.
• Any limitations on applications and software installations.
• Remote management, including updates and patches.
• User access controls, including RBAC if required.
• Encryption.
• Antimalware countermeasures (managed or unmanaged).
• BUDR.
• Browsing restrictions.
• User analytics (see ISO 27002 Control 8.16).
• The installation, use and remote management of removable storage devices or removable peripheral devices.
• How to segregate data on the device, so that PII is partitioned off from standard device data (including the user’s personal data). This includes considering whether or not it is appropriate to store any kind of organisational data on the physical device, rather than using the device to provide online access to it.
• What happens when a device is lost or stolen – i.e. addressing any legal, regulatory or contractual requirements, and dealing with the organisation’s insurers.

Individual User Responsibility

Everyone in the organisation who uses remote access needs to be made explicitly aware of any mobile device policy and procedures that apply to them within the context of secure endpoint device management.

Users should be instructed to:

• Close any active working sessions when they’re no longer in use.
• Implement physical and digital protection controls, as is required by the policy.
• Be mindful of their physical surroundings – and the inherent security risks they contain – when accessing secure data using the device.

Bring Your Own Device (BYOD)

Organisations who allow personnel to use personally owned devices should also consider the following security controls:

• Installing software on the device (including mobile phones) that assists in the separation of business and personal data.
• Enforcing a BYOD policy that includes:
• Acknowledgement of organisational ownership of PII.
• Physical and digital protection measures (see above).
• Remote deletion of data.
• Any measures that ensure alignment with PII legislation and regulatory guidance.
• IP rights, concerning company ownership of anything that has been produced on a personal device.
• Organisational access to the device – either for privacy protection purposes, or to comply with an internal or external investigation.
• EULAs and software licensing that may be affected by the use of commercial software on a privately owned device.

Wireless Configurations

When drafting procedures that deal with wireless connectivity on endpoint devices, organisations should:

• Carefully consider how such devices should be allows to connect to wireless networks for Internet access, for the purposes of safeguarding PII.
• Ensure that wireless connections have sufficient capacity to facilitate backups or any other topic-specific functions.

Supporting ISO 27002 Controls

• ISO 27002 8.9 – Configuration Management
• ISO 27002 8.16 – Monitoring Activities

Asset Management

ISO 27701 Clause 6.5.2.1 (Classification of Information) and EU GDPR Article 5 (1)(f)

Rather than put all information held on an equal footing, organisation’s should classify information on a topic-specific basis.

Information owners should consider four key factors, when classifying data (especially regarding PII), which should be reviewed periodically, or when such factors change:

1. The confidentiality of the data.
2. The integrity of the data.
3. Data availability levels.
4. The organisation’s legal obligations towards PII.

To provide a clear operational framework, information categories should be named in accordance with the inherent risk level, should any incidents occur that compromise any of the above factors.

To ensure cross-platform compatibility, organisations should make their information categories available to any external personnel who they share information with, and ensure that the organisation’s own classification scheme is widely understood by all relevant parties.

Organisation’s should be wary of either under-classifying or, conversely, over-classifying data. The former can lead to mistakes in grouping PII in with less-sensitive data types, whilst the former often leads to added expense, a greater chance of human error and processing anomalies.

ISO 27701 Clause 6.5.2.2 (Labelling of Information) and EU GDPR Article 5 (1)(f)

Labels are a key part of ensuring that the organisation’s PII classification policy (see above) is being adhered to, and that data is able to be clearly identified in line with its sensitivity (e.g. PII being labelled as distinct from less confidential data types).

PII labelling procedures should define:

• Any scenario where labelling is not required (publicly available data).
• Instructions on how personnel should be labelling both digital and physical assets and storage locations.
• Contingency plans for any scenario where labelling isn’t physically possible.

ISO provides plenty of scope for organisations to choose their own labelling techniques, including:

• Physical labelling.
• Electronic labels in headers and footers.
• The addition or amendment of metadata, including searchable terms and interactive functionality with other information management platforms (e.g. the organisation’s PIMS).
• Watermarking that provides a clear indication of the data classification on a document-by-document basis.
• Stamp marks on physical copies of information.

ISO 27701 Clause 6.5.3.1 (Management of Removable Media) and EU GDPR Article 5 (1)(f)

Removable Storage Media

When developing policies that govern the handling of media assets involved in storing PII, organisations should:

• Develop unique topic-specific policies based upon departmental or job-based requirements.
• Ensure that proper authorisation is sought and granted, before personnel are able to remove storage media from the network (including keeping an accurate and up-to-date record of such activities).
• Store media in accordance with the manufacturers specifications, free from any environmental damage.
• Consider using encryption as a pre-requisite to access, or where this isn’t possible, implementing additional physical security measures.
• Minimise the risk of PII becoming corrupted by transferring information between storage media, as is required.
• Introduce PII redundancy by storing protected information on multiple assets at the same time.
• Only authorise the use of storage media on approved inputs (i.e. SD cards and USB ports), on an asset-by-asset basis.
• Closely monitor the transfer of PII onto storage media, for any purpose.
• Take into consideration the risks inherent within the physical transfer of storage media (and by proxy, the PII contained on it), when moving assets between personnel or premises (see ISO 27002 Control 5.14).

Re-Use and Disposal

When re-purposing, re-using or disposing of storage media, robust procedures should be put in place to ensure that PII is not affected in any way, including:

1. Formatting the storage media, and ensuring that all PII is removed before re-use (see ISO 27002 Control 8.10), including maintaining adequate documentation of all such activities.
2. Securely disposing of any media that the organisation has no further use for, and has been used to store PII.
3. If disposal requires involvement of a third-party, organisation’s should take great care to ensure they are a fit and proper partner to perform such duties, in-line with the organisation’s responsibility towards PII and privacy protection.
4. Implementing procedures that identify which storage media are available for re-use, or can be disposed of accordingly.

If devices that have been used to store PII become damaged, organisation’s should carefully consider whether or not it is more appropriate to destroy such media, or send it for repair (erring on the side of the former).

Supporting ISO 27002 Controls

• ISO 27002 5.14

ISO 27701 Clause 6.5.3.2 (Disposal of Media) and EU GDPR Article 5 (1)(f)

See ISO 27701 Clause 6.5.3.1

Additional PII-Related Guidance

If media is to be disposed of that previously held PII, organisations should implement procedures that document the destruction of PII and privacy-related data, including categorical assurances that it is no longer available.

ISO 27701 Clause 6.5.3.3 and EU GDPR 5 (1)(f)

Removable Storage Media

When implementing policies that deal with removable media, organisations should:

• Develop procedures that address departmental or job-based requirements.
• Ensure that proper authorisation is obtained before any media is removed from the corporate network.
• Ensure that any manufacturer’s guidelines are strictly adhered to, when operating any form of storage device.
• Consider the use of cryptographic storage technology.
• Take steps to ensure that data is not corrupted during any transfer process.
• Increase redundancy by storing information on multiple assets at the same time.
• Approve the use of storage media (i.e. SD cards and USB ports), on an asset-by-asset basis.
• Understand and mitigate the risks inherent in moving media and assets between personnel and locations (see ISO 27002 Control 5.14).

Organisations should keep thorough records of any storage media used to process sensitive information, including:

• The type of media that’s to be sent (HDD, USB, SD card etc.).
• Any authorised senders and any internal personnel permitted to receive media.
• The date and time of transfer.
• How much media is to be transferred.

Re-Use and Disposal

Throughout the process of re-purposing, re-using or disposing of storage media, organisations should:

• Ensure that all media is correctly formatted, and all such activities are thoroughly documented (see ISO 27002 Control 8.10).
• Ensure that, when storage assets are no longer required, they are disposed of in a safe and secure manner – including thorough vetting of any third parties involved in disposal activities, to ensure that the organisation is fulfilling its duties towards the handling of PII.
• Identify which media is suitable for re-use, or needs to be disposed of, especially where devices have become damaged or physically compromised in any way.

Access Control

ISO 27701 Clause 6.6.2.1 (User Registration and Deregistration) and EU GDPR 5 (1)(f)

User registration is governed by the use of assigned ‘identities’. Identities provide organisations with a framework to govern user access to PII and privacy-related assets and material, within the confines of a network.

Organisation needs to follow six main guidance points, in order to ensure that identities are managed correctly, and PII is protected wherever it is stored, processed or accessed:

1. Where identities are assigned to a human being, only that person is allowed to authenticate with and/or use that identity, when accessing PII.
2. Shared identities – multiple individuals registered on the same identity – should only be deployed to satisfy an unique set of operational requirements.
3. Non-human entities should be considered and managed differently to user-based identities who access PII and privacy-related material.
4. Identities should be removed once they are no longer needed – especially those with access to PII or privacy-based roles.
5. Organisations should stick to a ‘one entity, one identity’ rule, when distributing identities across the network.
6. Registrations should be logged and recorded through clear documentation, including timestamps, access levels and identity information.

Organisations who work in partnership with external organisations (particularly cloud-based platforms) should understand the inherent risks associated with such practices, and take steps to ensure that PII is not adversely affected in the process (see ISO 27002 Controls 5.19 and 5.17).

Supporting ISO 27002 Controls

• ISO 27002 5.17
• ISO 27002 5.19

ISO 27701 Clause 6.6.2.2 (User Access Provisioning) and EU GDPR 5 (1)(f)

‘Access rights’ govern how access to PII and privacy-related information is both granted and revoked, using the same set of guiding principles.

Granting and Revoking Access Rights

Access procedures should include:

• Permission and authorisation from the owner (or management) of the information or asset (see ISO 27002 Control 5.9).
• Any prevailing commercial, legal or operational requirements.
• An acknowledgement of the need to segregate duties, in order to improve PII security and build a more resilient privacy protection operation.
• Controls to revoke access rights, when access is no longer required (leavers etc.).
• Times access measures for temporary personnel or contractors.
• A centralised record of access rights granted to both human and non-human entities.
• Measures to modify the access rights of any personnel or third-party contractors who have changed job roles.

Reviewing Access Rights

Organisations should conduct periodical reviews of access rights across the network, including:

• Building access right revocation into HR off-boarding procedures (see ISO 27002 Controls 6.1 and 6.5) and role-change workflows.
• Requests for ‘privileged’ access rights.

Change Management and Leavers

Personnel who are either leaving the organisation (either wilfully or as a terminated employee), and those who are the subject of a change request, should have their access rights amended based upon robust risk management procedures, including:

• The source of the change/termination, including the underlying reason.
• The user’s current job role and attached responsibilities.
• The information and assets that are currently accessible – including their risk levels and value to the organisation.

Supplementary Guidance

Employment contracts and contractor/service contracts should include an explanation of what happens following any attempts at unauthorised access (see ISO 27002 Controls 5.20, 6.2, 6.4, 6.6).

Supporting ISO 27002 Controls

• ISO 27002 5.9
• ISO 27002 5.20
• ISO 27002 6.2
• ISO 27002 6.4
• ISO 27002 6.6

ISO 27701 Clause 6.6.4.2 (Secure Log-on Procedures) and EU GDPR 5 (1)(f)

PII and privacy-related assets need to be stored on a network that features a range of authentication controls, including:

• Multi-factor authentication (MFA).
• Digital certificates.
• Smart cards/fobs.
• Biometric verification.
• Secure tokens.

To prevent and minimise the risk of unauthorised access to PII, organisations should:

1. Prevent the display of PII on a monitor or endpoint device, until a user has successfully authenticated.
2. Give would-be users a clear warning – before any login is attempted – which outlines the sensitive nature of the data they are about to access.
3. Be wary of providing too much assistance throughout the authentication process (i.e. explaining which part of a failed login attempt is invalid).
4. Deploy best practice security measures, including:
• CAPTCHA technology.
• Forcing password resets and/or temporarily preventing logins following several failed attempts.
5. Log failed login attempts for further analysis and/or dissemination to law-enforcement agencies.
6. Initiate a security incident whenever a major login discrepancy is detected, or the organisation discovers an authentication anomaly that has the potential to affect PII.
7. Relay authentication logs – containing last logon attempt and failed login information – to a separate data source.
8. Only output password data as abstract symbols), unless the user has accessibility/vision issues.
9. Prevent the sharing of any and all authentication data.
10. Kill dormant login sessions, especially where PII is being utilised in remote working environments, or on BYOD assets.
11. Place a time limit on authenticated sessions, especially those that are actively accessing PII.

Physical & Environmental Security

ISO 27701 Clause 6.8.2.7 (Secure Disposal or Re-Use of Equipment) and EU GDPR 5 (1)(f)

PII and privacy-related information is particularly at risk when the need arises to either dispose of, or re-purpose storage and processing assets – either internally, or in partnership with a specialised third-party provider.

Above all, organisations need to ensure that any storage media marked for disposal, that has contained PII, should be physically destroyed, wiped or over-written (see ISO 27002 Control 7.10 and 8.10).

To prevent PII becoming compromised in any way, when disposing of or re-using assets, organisations should:

• Ensure that all labels are either removed or amended, as necessary – especially those which indicate the presence of PII.
• Remove all physical and logical security controls, when decommissioning facilities or moving premises, with a view to re-using them in a new location.

Supporting ISO 27002 Controls

• ISO 27002 7.10
• ISO 27002 8.10

ISO 27701 Clause 6.8.2.9 (Clear desk and clear screen policy) and EU GDPR 5 (1)(f)

PII and privacy related-information is particularly at risk when careless staff and third-party contractors fail to adhere to workplace security measures that protect against the accidental or deliberate viewing of PII by unauthorised personnel.

Organisations should draft topic-specific clear desk and clear screen policies (on a workspace-by-workspace basis if needs be) that includes:

• Hiding from casual view, locking away or securely storing PII and privacy-related information, when such data material isn’t required.
• Physical locking mechanisms on ICT assets.
• Digital access controls – such as display timeouts, password protected screen savers and automatic log-out facilities.
• Secure printing and immediate document collection.
• Secure, locked storage of sensitive documentation, and proper disposal of such material when they are no longer required (shredding, third-party disposal services etc.).
• Being mindful of message previews (email, SMS, calendar reminders) that may provide access to sensitive data; whenever a screen is being shared or viewed in a public place.
• Clearing physical displays (e.g. whiteboards and noticeboards) of sensitive information, when no longer required.

When organisations collectively leave premises – such as during an office move or similar relocation – efforts should me made to ensure that no documentation is left behind, either in desks and filing systems, or any that may have fallen into obscure places.

Operations Security

ISO 27701 Clause 6.9.3.1 (Information Backup) and EU GDPR 5 (1)(f)

Organisations should draft topic-specific policies that directly address how the organisation backs up the relevant areas of its network in order to safeguard PII and improve resilience against privacy-related incidents.

BUDR procedures should be drafted to achieve the primary goal of ensuring that all business critical data, software and systems are able to be recovered following data loss, intrusion, business interruption and critical failures.

As a priority, BUDR plans should:

• Outline restoration procedures that cover all critical systems and services.
• Be able to produce workable copies of any systems, data or applications that are part of a backup job.
• Serve the commercial and operational requirements of the organisation (see ISO 27002 Control 5.30).
• Store backups in an environmentally protected location that is physically separate from the source data (see ISO 27002 Control 8.1).
• Regularly test and appraise backup jobs against the organisations mandated recovery times, in order to guarantee data availability.
• Encrypt all PII-related backup data.
• Double-check for any data loss before executing a backup job.
• Adhere to a reporting system that alerts staff to the status of backup jobs.
• Seek to incorporate data from cloud-based platforms that are not directly managed by the organisation, in internal backup jobs.
• Store backups in accordance with an appropriate PII retention policy (see ISO 27002 Control 8.10).

Additional Pii-Specific Guidance

Organisations need to develop separate procedures that deal solely with PII (albeit contained within their main BUDR plan).

Regional variances in PII BUDR standards (contractual, legal and regulatory) should be taken into consideration whenever a new job is created, jobs are amended or new PII data is added to the BUDR routine.

Whenever the need arises to restore PII following a BUDR incident, organisations should take great care to return the PII to its original state, and review restore activities to resolve any issues with the new data.

Organisations should keep a log of restoration activity, including any personnel involved in the restore, and a description of the PII that’s been restored.

Organisations should check with any law-making or regulatory agencies and ensure that their PII restorations procedures are in alignment with what’s expected of them as a PII processor and controller.

Supporting ISO 27002 Controls

• ISO 27002 5.30
• ISO 27002 8.1
• ISO 27002 8.10

ISO 27701 Clause 6.9.4.1 (Event Logging) and EU GDPR 5 (1)(f)

ISO defines an ‘event’ as any action performed by a digital or physical presence/entity on a computer system.

Event logs should contain:

• A user ID – Who or what account performed the actions.
• A record of system activity.
• Timestamps.
• Device and system identifiers, and the location of the event.
• IP address information.

Event Types

ISO identifies 11 events/components that require logging (and linked to the same time source – see ISO 27002 Control 8.17), in order to maintain PII security and improve organisational privacy protection:

1. System access attempts.
2. Data access attempts.
3. Resource access attempts.
4. OS configuration changes.
5. Elevated privileges.
6. Utility programs and maintenance facilities (see ISO 27002 Control 8.18).
7. File access requests, and what occurred (deletion, migration etc.).
8. Critical interrupts.
9. Activities surrounding security/anti-malware systems.
10. Identity administration work (e.g. user additions and deletions).
11. Selected application session activities.

Log Protection

Logs should be protected against unauthorised changes or operational anomalies, including:

• Message type amendments.
• Deletion or editing.
• Over-writing due to storage issues.

Organisations should engage with the following techniques, in order to improve log-based security:

• Cryptographic hashing.
• Append-only recording.
• Read-only recording.
• Use of public transparency files.

When the need arises to provide logs to external organisations, strict measures should be taken to safeguard PII and privacy-related information, in accordance with accepted data privacy standards (see ISO 27002 Control 5.34 and additional guidance below).

Log Analysis

Logs will need to be analysed from time to time, in order to improve privacy protection on the whole, and to both resolve and prevent security breaches.

When performing log analysis, organisations should take into account:

• The expertise of the personnel carrying out the analysis.
• The type, category and attribute of each event type.
• Any exceptions that are applied via network rules emanating from security software hardware and platforms.
• Anomalous network traffic.
• Specialised data analysis.
• Available threat intelligence (either internally, or from a trusted third party source).

Log Monitoring

Log monitoring offers organisations the chance to protect PII at source and foster a proactive approach to privacy protection.

Organisations should:

1. Review internal and external attempts to access secure resources.
2. Analyse DNS logs (and data usage reports) to identify traffic to and from malicious sources.
3. Collect logs from physical access points and physical perimeter security devices (entry systems etc.).

Additional PII-Related Guidance

ISO requires organisations to monitor logs pertaining to PII through a ‘continuous and automated monitoring and alerting process‘. This may necessitate a separate set of procedures that monitor access to PII.

Organisations should ensure that – as a priority – logs provide a clear account of access to PII, including:

• Who accessed the data.
• When the data was accessed.
• Which principal’s PII was accessed.
• Any changes that were made.

Organisations should decide ‘if, when and how‘ PII log information should be made available to customers, with any criteria being made freely available to the principals themselves and great care taken to ensure that PII principals are only able to access information pertaining to them.

Supporting ISO 27002 Controls

• ISO 27002 5.34
• ISO 27002 8.11
• ISO 27002 8.17
• ISO 27002 8.18

ISO 27701 Clause 6.9.4.2 (Protection of Log Information) and EU GDPR 5 (1)(f)

See ISO 27701 Clause 6.9.4.1

Additional PII-Related Guidance

Organisations should dedicate a lot of attention towards ensuring that logs which contain PII are properly controlled, and benefit from secure monitoring.

Automated procedures should be put in place that either deletes or ‘de-identifies’ logs, in line with a published retention policy (see ISO 27002 Control 7.4.7).

Guidance for PII Controllers

ISO 27701 Clause 7.2.1 (Identify and Document Purpose) and EU GDPR 5 (1)(b)

PII principals need to be fully conversant with all the various reasons as to why their PII is being processed.

It’s the responsibility of the organisation to convey these reasons to PII principals, along with a ‘clear statement’ on why they need to process their information.

All documentation needs to be clear, comprehensive and easily understood by any PII principal that reads it – including anything relating to consent, as well as copies of internal procedures (see ISO 27701 Clauses 7.2.3, 7.3.2 and 7.2.8).

Supporting ISO 27701 Clauses

• ISO 27701 7.2.3
• ISO 27701 7.3.2
• ISO 27701 7.2.8

ISO 27701 Clause 7.2.2 (Identify Lawful Basis) and EU GDPR 5 (1)(a)

To form a legal basis for processing PII, organisations should:

• Seek consent from PII principals.
• Draft a contract.
• Comply with various other legal obligations.
• Protect the ‘vital interests’ of the various PII principals.
• Ensure that the tasks being performed are in the public interest.
• Confirm that PII processing is a legitimate interest.

For every point mentioned above, organisations should be able to offer documented confirmation

Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).

If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.

Supporting ISO 27701 Clauses

• ISO 27701 7.2.8

ISO 27701 Clause 7.2.6 (Contracts With PII Processors) and EU GDPR 5 (2)

Organisations need to enter into written, binding contracts with any external PII processor that it uses.

Any contracts need to ensure that the PII processor implements all the required information contained within ISO 27701 Annex B, with particular attention to risk assessment controls (ISO 27701 Clause 5.4.1.2) and the overall scope of the processing activities (see ISO 27701 Clause 6.12).

Organisations need to be able to justify the omission of any controls contained within Annex B, in their relationship with the PII processor (see ISO 27701 Clause 5.4.1.3).

ISO 27701 Clause 7.2.8 (Records Related to Processing PII) and EU GDPR 5 (2)

Organisations need to maintain a thorough set of records that support its actions and obligations as a PII processor.

Records (otherwise known as ‘inventory lists’) should have a delegated owner, and may include:

• Operational – the specific type of PII processing that’s being undertaken.
• Justifications – why the PII is being processed.
• Categorical – lists of PII recipients, including international organisations.
• Security – an overview of how PII is being protected.
• Privacy – i.e. a privacy impact assessment report.

ISO 27701 Clause 7.3.6 (Access, Correction And/or Erasure) and EU GDPR 5 (1)(d)

Organisations should draft, document and implement procedures that allow PII principals to access, correct and/or delete their PII.

Procedures should include mechanisms through which the PII principal is able to perform the above action, including how the organisation is to inform the principal if corrections aren’t able to be made.

Organisations should commit to a published response time for all access, correction or deletion requests.

It’s vitally important to communicate any such requests to third parties that have been transferred PII (see ISO 27701 Clause 7.3.7).

A PII principal’s ability to request corrections or deletions is dictated by the jurisdiction that the organisation operates in. As such, companies should keep themselves abreast of any legal or regulatory changes that govern their obligations towards PII.

Supporting ISO 27701 Clauses

• ISO 27701 7.3.7

Privacy by Design and Privacy by Default

ISO 27701 Clause 7.4.1 (Limit Collection) and EU GDPR 5 (1)(b) and (1)(c)

Organisations should limit their collection of PII based on three factors:

1. Relevance.
2. Proportionality.
3. Necessity.

Organisations should only collect PII – either directly or indirectly – in accordance with the above factors, and only for purposes that are relevant and necessary towards their stated purpose.

As a concept, ‘privacy by default’ should be adhered to – i.e., any optional functions should be disabled by default.

ISO 27701 Clause 7.4.3 (Accuracy and Quality) and EU GDPR 5 (1)(d)

Organisations should take steps to ensure that PII is accurate, complete and up-to-date, throughout its entire lifecycle.

Organisational information security policies and technical configurations should contain steps that seek to minimise errors throughout its PII processing operation, including controls on how to respond to inaccuracies.

ISO 27701 Clause 7.4.4 (PII Minimization Objectives) and EU GDPR 5 (1)(c) and (1)(e)

Organisations need to construct ‘data minimisation’ procedures, including mechanisms such as de-identification.

Data minimisation should be used to ensure that PII collection and processing is limited to the ‘identified purpose’ of each function (see ISO 27701 Clause 7.2.1).

A large part of this process involves documenting the extent to which a PII principals information should be directly attributable towards them, and how minimisation is to be achieved via a variety of available methods.

Organisations should outline the specific techniques use to de-identify PII principals, such as:

1. Randomisation.
2. Noise addition.
3. Generalisation.
4. Attribute removal.

Supporting ISO 27701 Clauses

• ISO 27701 7.2.1

ISO 27701 Clause 7.4.5 (PII De-identification and Deletion at the End of Processing) and EU GDPR 5 (1)(c) and (1)(e)

Organisations either need to completely destroy any PII that no longer fulfils a purpose, or modify it in a way that prevents any form of principal identification.

As soon as the organisation established that the PII doesn’t need to be processed at any time in the future, the information should be deleted or de-identified, as the circumstances dictate.

ISO 27701 Clause 7.4.6 (Temporary Files) and EU GDPR 5 (1)(c)

Temporary files are created for a number of technical reasons, throughout the PII processing and collection lifecycle, across numerous applications, systems and security platforms.

Organisations need to ensure that these files are destroyed within a reasonable amount of time, in accordance with an official retention policy.

A simple way to identify the existence of such files is to perform periodic checks of temporary files across the network. Temporary files often include:

• Database update files.
• Cached information.
• Files created by applications and bespoke software packages.

Organisations should adhere to a so-called garbage collection procedure that deletes temporary files when they’re no longer needed.

ISO 27701 Clause 7.4.8 (Disposal) and EU GDPR 5 (1)(f)

Organisations need to have clear policies and procedures that govern how PII is disposed of.

Data disposal is a wide-ranging topic that features a host of different variables, based on the required disposal technique and the nature of the data that’s being disposed of.

Organisations need to consider:

• What the PII includes.
• Any residual metadata that needs to be erased alongside the principal data.
• The type of storage media the PII is held on.

ISO 27701 Clause 7.4.9 (PII Transmission Controls) and EU GDPR 5 (1)(f)

Any PII that is set to be transferred to a third party organisation should be done so with the utmost of care for the information being sent, using secure means.

Organisations need to ensure that only authorised personnel are able to access transmission systems, and are doing so in a way that is easily audited with the sole purpose of getting the information to where it needs to go without incident.

Guidance for PII Processors

ISO 27701 Clause 8.2.2 (Organisational Purposes) and EU GDPR 5 (1)(a) and (1)(b)

From the outset, PII should only ever be processed in accordance with the customer’s instructions.

Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.

Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.

ISO 27701 Clause 8.4.1 (Temporary Files) and EU GDPR 5 (1)(c)

Organisations need to ensure that temporary files are destroyed within a reasonable amount of time, in accordance with an official retention policy and clear deletion procedures.

A simple way to identify the existence of such files is to perform periodic checks of temporary files across the network.

Organisations should adhere to a so-called garbage collection procedure that deletes temporary files when they’re no longer needed.

ISO 27701 Clause 8.4.3 (PII Controls) and EU GDPR 5 (1)(f)

Whenever the need arises for PII to be transmitted over a data network (including a dedicated link), organisations need to be preoccupied with ensuring that the PII reaches the correct recipients, in a timely manner.

When transferring PII between data networks, organisations should:

• Ensure that only authorised individuals are able to perform the transfer.
• Stick to published procedures that govern the transfer of PII from the organisation to a third-party.
• Retain all audit data.
• Include transmission requirements in the customer’s contract.
• Consult with the customer prior to any transfer being undertaken, if no written or contractual stipulations exist.

Supporting ISO 27701 Clauses and ISO 27002 Controls

How ISMS.online Help

Your complete GDPR solution.

A pre-built environment that fits seamlessly into your management system allows you to describe and demonstrate your approach to protecting European and British customer data.

With ISMS.online, you can jump straight into GDPR compliance and demonstrate levels of protection that go beyond ‘reasonable’, all in one secure, always-on location.

In combination with our ‘Adopt, Adapt, Add’ implementation approach, the ISMS.online platform offers built-in guidance at every step, reducing the effort required to demonstrate your GDPR compliance. A number of powerful time-saving features will also be available to you.

Find out more by booking a short 30 minute demo.