ISO 27701 – Clause 7.2 – Conditions for Collection and Processing

Understanding ISO 27701 Clause 7.2: Conditions for Lawful PII Processing

ISO 27701 Clause 7.2 (Conditions for collection and processing) contains guidance on how to prove and document that the organisation’s PII processing activities are lawful, and operate within the relevant legal boundaries.

Here’s a run-down of ISO’s clause-specific guidance, along with the corresponding UK GDPR citations (table of linked citations at bottom of page).

Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.

ISO 27701 Clause 7.2.1 – Identify and Document Purpose

Purpose of Clause 7.2.1

Organisations need to first identify and then record the specific reasons for processing the PII that they use.

Guidance on Clause 7.2.1

PII principals need to be fully conversant with all the various reasons as to why their PII is being processed.

It’s the responsibility of the organisation to convey these reasons to PII principals, along with a ‘clear statement’ on why they need to process their information.

All documentation needs to be clear, comprehensive and easily understood by any PII principal that reads it – including anything relating to consent, as well as copies of internal procedures (see ISO 27701 Clauses 7.2.3, 7.3.2 and 7.2.8).

Relevant ISO 27701 Clauses

• ISO 27701 7.2.3
• ISO 27701 7.3.2
• ISO 27701 7.2.8

ISO 27701 Clause 7.2.2 – Identify Lawful Basis

Purpose of Clause 7.2.2

Depending on the jurisdiction, organisations may have to prove that their PII processing activities are lawful before they begin.

Guidance on Clause 7.2.2

To form a legal basis for processing PII, organisations should:

• Seek consent from PII principals.
• Draft a contract.
• Comply with various other legal obligations.
• Protect the ‘vital interests’ of the various PII principals.
• Ensure that the tasks being performed are in the public interest.
• Confirm that PII processing is a legitimate interest.

For every point mentioned above, organisations should be able to offer documented confirmation.

Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).

If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.

Relevant ISO 27701 Clauses

• ISO 27701 7.2.8

ISO 27701 Clause 7.2.3 – Determine When and How Consent Is to Be Obtained

Purpose of Clause 7.2.3

Organisations need to be able to demonstrate that consent for processing was lawfully obtained from PII principals.

Guidance on Clause 7.2.3

Organisations should be able to document the reasons for seeking consent, and how it’s to be acquired.

PII stipulations vary from region to region, so organisations need to be continually mindful of any local and/or national laws and regulations that may govern how they obtain consent, along with any special conditions attached to certain data types (e.g. children).

ISO 27701 Clause 7.2.4 – Obtain and Record Consent

Purpose of Clause 7.2.4

Once they’ve established that consent is required, organisations should obtain consent as per their unique set of requirements.

Guidance on Clause 7.2.4

Organisations need to gather consent in way that makes it easy for PII subjects to request information on how it was obtained (timestamps, who requested it etc.) (see ISO 27701 Clause 7.3.3).

Consent relies on three underlying legal stipulations: it needs to be freely provided, relating to the reason for processing and clear in its intent.

ISO 27701 Clause 7.2.5 – Privacy Impact Assessment

Purpose of Clause 7.2.5

Privacy impact assessments allow organisations to gauge any information security implications when processing a new set of PII, or changing the way existing data is processed.

Guidance on Clause 7.2.5

PII processing is a risk-heavy business function that needs to be thoroughly assessed to ensure the integrity, authenticity and legality of the data being processed.

Depending on the jurisdiction, some organisations will need to abide by a categorical list of scenarios where a privacy impact assessment is required, such as:

• Automated decision-making.
• Enterprise-level processing of special PII categories.
• Monitoring of large public areas.

Organisations need to establish what constitutes an adequate impact assessment, including (but not limited to):

1. What kind of PII is being stored.
2. Where it’s being stored.
3. Where it can be relocated to.

ISO 27701 Clause 7.2.6 – Contracts With PII Processors

Purpose of Clause 7.2.6

Organisations need to enter into written, binding contracts with any external PII processor that it uses.

Guidance on Clause 7.2.6

Any contracts need to ensure that the PII processor implements all the required information contained within ISO 27701 Annex B, with particular attention to risk assessment controls (ISO 27701 Clause 5.4.1.2) and the overall scope of the processing activities (see ISO 27701 Clause 6.12)

Organisations need to be able to justify the omission of any controls contained within Annex B, in their relationship with the PII processor (see ISO 27701 Clause 5.4.1.3).

ISO 27701 Clause 7.2.7 – Joint PII Controller

Purpose of Clause 7.2.7

Organisations need to outline the details of any joint PII processing arrangement, with an accompanying PII controller – this includes general protection measures and all associated security requirements.

Guidance on Clause 7.2.7

Roles and responsibilities need to be clear and unambiguous, and outlined in a legally-binding document (sometimes called a ‘data sharing agreement’).

Agreements can include (among other measures):

• Why PII is being shared.
• Data categories.
• A general overview of the PII processing operation.
• Any relevant roles and responsibilities.
• How privacy information security is to be governed.
• What actions are to be taken in the event of a data breach.
• How PII is to be retained, and destroyed when no longer needed.
• What occurs when either party is in breach of agreement.
• What either party’s obligations are to PII principals.
• What mechanisms are in place to provide PII principals with applicable details of the joint agreement.
• How PII principals can make official requests, and how to formulate and deliver a response.
• Points of contact – both internally and for PII principals to utilise.

ISO 27701 Clause 7.2.8 – Records Related to Processing PII

Purpose of Clause 7.2.8

Organisations need to maintain a thorough set of records that support its actions and obligations as a PII processor.

Guidance on Clause 7.2.8

Records (otherwise known as ‘inventory lists’) should have a delegate owner, and may include:

1. Operational – the specific type of PII processing that’s being undertaken.
2. Justifications – why the PII is being processed.
3. Categorical – lists of PII recipients, including international organisations.
4. Security – an overview of how PII is being protected.
5. Privacy – i.e. a privacy impact assessment report.

Supporting GDPR Articles

Various elements of ISO 27701 Clause 7.2 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.

How ISMS.online Helps

The process of implementing ISO 27701 can be challenging, particularly if you’ve never taken on a project like this before. ISMS.online can assist you!

Our ISO 27701 frameworks allow your business to demonstrate compliance with the ISO 27701 standard.

Our Information Security specialists can assist you in creating a logical implementation procedure that adheres to the framework.

Find out more by booking a demo.