ISO 27701 Clause 7.2 (Conditions for collection and processing) contains guidance on how to prove and document that the organisation’s PII processing activities are lawful, and operate within the relevant legal boundaries.
Here’s a run-down of ISO’s clause-specific guidance, along with the corresponding UK GDPR citations (table of linked citations at bottom of page).
Please note that GDPR citations are for indicative purposes only. Organisations should scrutinise the legislation and make their own judgement on what parts of the law applies to them.
Organisations need to first identify and then record the specific reasons for processing the PII that they use.
PII principals need to be fully conversant with all the various reasons as to why their PII is being processed.
It’s the responsibility of the organisation to convey these reasons to PII principals, along with a ‘clear statement’ on why they need to process their information.
All documentation needs to be clear, comprehensive and easily understood by any PII principal that reads it – including anything relating to consent, as well as copies of internal procedures (see ISO 27701 Clauses 7.2.3, 7.3.2 and 7.2.8).
Depending on the jurisdiction, organisations may have to prove that their PII processing activities are lawful before they begin.
To form a legal basis for processing PII, organisations should:
For every point mentioned above, organisations should be able to offer documented confirmation.
Organisations also need to consider any ‘special categories’ of PII that relate to their organisation in their data classification scheme (see ISO 27701 Clause 7.2.8) (classifications may vary from region to region).
If organisations experience any changes to their underlying reasons for processing PII, this should be immediately reflected in their documented legal basis.
Organisations need to be able to demonstrate that consent for processing was lawfully obtained from PII principals.
Organisations should be able to document the reasons for seeking consent, and how it’s to be acquired.
PII stipulations vary from region to region, so organisations need to be continually mindful of any local and/or national laws and regulations that may govern how they obtain consent, along with any special conditions attached to certain data types (e.g. children).
Once they’ve established that consent is required, organisations should obtain consent as per their unique set of requirements.
Organisations need to gather consent in way that makes it easy for PII subjects to request information on how it was obtained (timestamps, who requested it etc.) (see ISO 27701 Clause 7.3.3).
Consent relies on three underlying legal stipulations: it needs to be freely provided, relating to the reason for processing and clear in its intent.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Privacy impact assessments allow organisations to gauge any information security implications when processing a new set of PII, or changing the way existing data is processed.
PII processing is a risk-heavy business function that needs to be thoroughly assessed to ensure the integrity, authenticity and legality of the data being processed.
Depending on the jurisdiction, some organisations will need to abide by a categorical list of scenarios where a privacy impact assessment is required, such as:
Organisations need to establish what constitutes an adequate impact assessment, including (but not limited to):
Organisations need to enter into written, binding contracts with any external PII processor that it uses.
Any contracts need to ensure that the PII processor implements all the required information contained within ISO 27701 Annex B, with particular attention to risk assessment controls (ISO 27701 Clause 5.4.1.2) and the overall scope of the processing activities (see ISO 27701 Clause 6.12)
Organisations need to be able to justify the omission of any controls contained within Annex B, in their relationship with the PII processor (see ISO 27701 Clause 5.4.1.3).
Organisations need to outline the details of any joint PII processing arrangement, with an accompanying PII controller – this includes general protection measures and all associated security requirements.
Roles and responsibilities need to be clear and unambiguous, and outlined in a legally-binding document (sometimes called a ‘data sharing agreement’).
Agreements can include (among other measures):
Organisations need to maintain a thorough set of records that support its actions and obligations as a PII processor.
Records (otherwise known as ‘inventory lists’) should have a delegate owner, and may include:
Various elements of ISO 27701 Clause 7.2 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | Associated GDPR Articles |
|---|---|---|
| 7.2.1 | Identify and Document Purpose | Articles (5), (32) |
| 7.2.2 | Identify Lawful Basis | Articles (5), (6), (8), (9), (10), (17), (18), (22) |
| 7.2.3 | Determine When and How Consent Is to Be Obtained | Article (8) |
| 7.2.4 | Obtain and Record Consent | Articles (7), (9) |
| 7.2.5 | Privacy Impact Assessment | Articles (35), (36) |
| 7.2.6 | Contracts With PII Processors | Articles (5), (28) |
| 7.2.7 | Joint PII Controller | Article (26) |
| 7.2.8 | Records Related to Processing PII | Articles (5), (24), (30) |
The process of implementing ISO 27701 can be challenging, particularly if you’ve never taken on a project like this before. ISMS.online can assist you!
Our ISO 27701 frameworks allow your business to demonstrate compliance with the ISO 27701 standard.
Our Information Security specialists can assist you in creating a logical implementation procedure that adheres to the framework.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
