ISO 27701, Clause 7.3 – Obligations to PII Principals

ISO 27701 Controls and Clauses Explained

Book a demo

business,team,meeting.,photo,professional,investor,working,new,start,up

ISO 27701 Clause 7.3.1 – Determining and Fulfilling Obligations to PII Principals

Purpose of Clause 7.3.1

Organisations need to first establish and then fully document their legal, regulatory and business obligations to PII principals.

Guidance on Clause 7.3.1

Organisations should provide what ISO deem as the ‘appropriate means’ to meet the needs of PII principals, including transparent documentation and a designated point of contact.

NB. Contact methods should be identical to the ways in which the organisation collects PII.

ISO 27701 Clause 7.3.2 – Determining Information for PII Principals

Purpose of Clause 7.3.2

Organisations need to outline and document the information that PII principals receive, relating to the processing of PII.

Guidance on Clause 7.3.2

Organisations should outline a categorical set of requirements that dictate when information is to be provided to PII principals, and what that information is, for example:

  • The purpose of the PII being collected and processed.
  • Company contact details.
  • How and where the PII was obtained.
  • Contractual and/or statutory requirements.
  • How consent can be removed.
  • PII transfers.
  • How to file an official complaint.
  • How decisions are made regarding the processing of PII.
  • PII retention periods.
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 7.3.3 – Providing Information to PII Principals

Purpose of Clause 7.3.3

Organisations need to provide ‘clear and accessible’ information that established who the PII controller is, and how it’s processed.

Guidance on Clause 7.3.3

All information should be provided error-free, and in language that is easily understood (e.g. lacking jargon, not overly technical) by the people who have the ability to read it (see ISO 27702 clause 7.3.2).

Relevant ISO 27701 Clauses

  • ISO 27701 7.3.2

ISO 27701 Clause 7.3.4 – Providing Mechanism to Modify or Withdraw Consent

Purpose of Clause 7.3.4

PII subjects need to be provided with a means to withdraw consent for the collection or processing of PII.

Guidance on Clause 7.3.4

On a basic level, organisations need to provide a mechanism that outlines the rights of any PII principal who wishes to withdraw consent, along with instructions on how to do so that are in alignment with the methods used to collect PII (e.g. email, telephone).

PII principals should also be able to ‘modify’ consent – i.e. restricting the controller from performing certain actions, such as deleting PII. Such requests should be documented in accordance with procedures for the removal of consent.

Organisations should commit to a published response time for all modification or withdrawal of consent requests.

ISO 27701 Clause 7.3.5 – Providing Mechanism to Modify or Withdraw Consent

Purpose of Clause 7.3.5

PII principals need to be given the ability to raise objections over the processing of their PII.

Guidance on Clause 7.3.5

Laws vary from region to region, but some jurisdictions provide PII principals with the right to raise an objection regarding the processing of their PII.

Organisations should approach this function in two ways:

  1. By documenting any legal or regulatory requirements that are related to the specific objections raised by PII principals.
  2. Giving principals information on how they can object.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

ISO 27701 Clause 7.3.6 – Access, Correction And/or Erasure

Purpose of Clause 7.3.6

Organisations should draft, document and implement procedures that allow PII principals to access, correct and/or delete their PII.

Guidance on Clause 7.3.6

Procedures should include mechanisms through which the PII principal is able to perform the above action, including how the organisation is to inform the principal if corrections aren’t able to be made.

Organisations should commit to a published response time for all access, correction or deletion requests.

It’s vitally important to communicate any such requests to third parties that have been transferred PII (see ISO 27701 clause 7.3.7).

A PII principal’s ability to request corrections or deletions is dictated by the jurisdiction that the organisation operates in. As such, companies should keep themselves abreast of any legal or regulatory changes that govern their obligations towards PII.

Relevant ISO 27701 Clauses

  • ISO 27701 7.3.7

ISO 27701 Clause 7.3.7 – PII Controllers’ Obligations to Inform Third Parties

Purpose of Clause 7.3.7

From time to time, the need may arise to share PII with third parties (using the appropriate channels).

Organisations need to inform such companies of any requests for modification, withdrawal of consent or objections relating to any PII that’s been shared.

Guidance on Clause 7.3.7

Organisations should use the appropriate technical channels to ensure that third parties are informed quickly and accurately, and in-line with any regional legal or regulatory requirements.

Where possible, organisations should delegate this function to a dedicated individual, and take steps to ensure that such requests have been acknowledged.

ISO 27701 Clause 7.3.8 – Providing Copy of PII Processed

Purpose of Clause 7.3.8

It is vitally important that organisations are able to provide, upon request, a copy of any PII that’s been processed.

Guidance on Clause 7.3.8

ISO requires organisations to provide a copy of the PII in a user-friendly format that is easily accessible by the PII principal.

Organisations should take great care to ensure that any information provided relates solely to the PII principal who requested it.

PII identification laws vary from region to region, but if the PII has undergone a de-identification process then the organisations should not attempt to re-identify, unless legally required to do so.

Organisations should also explore methods of transferring the PII directly to another organisation, if requested to do so.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 7.3.9 – Handling Requests

Purpose of Clause 7.3.9

Organisations need to abide by a concrete set of procedures that govern how they should respond to requests from PII principals.

Guidance on Clause 7.3.9

Requests can range from (but are not limited to) a copy of the PII, or the filing of a complaint, and should be processed within a published response time, that takes into account the nature of the request.

Depending on the jurisdiction, organisations may also charge a handling fee, but this is usually limited to excessive or repetitive requests.

ISO 27701 Clause 7.3.10 – Automated Decision Making

Purpose of Clause 7.3.10

Organisations should address any legal obligations to PII principals that relate to the automated processing of PII.

Guidance on Clause 7.3.10

Organisations should take into account jurisdictional variances in automated decision making regarding PII – more specifically, allowing PII principals to object and requesting human intervention in place of automated procedures.

Supporting GDPR Articles

Various elements of ISO 27701 Clause 7.3 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.

ISO 27701 Clause IdentifierISO 27701 Clause NameAssociated GDPR Articles
7.3.1Determining and Fulfilling Obligations to PII PrincipalsArticle (12)
7.3.2Determining Information for PII PrincipalsArticles (11), (13), (14), (15), (18), (21)
7.3.3Providing Information to PII PrincipalsArticles (11), (12), (13), (21)
7.3.4Providing Mechanism to Modify or Withdraw ConsentArticles (7), (13), (14), (18)
7.3.5Providing Mechanism to Object to PII ProcessingArticles (13), (14), (21)
7.3.6Access, Correction And/or ErasureArticles (5), (13), (14), (16), (17)
7.3.7PII Controllers’ Obligations to Inform Third PartiesArticle (19)
7.3.8Providing Copy of PII ProcessedArticles (15), (20)
7.3.9Handling RequestsArticles (12), (15)
7.3.10Automated Decision MakingArticles (13), (14), (22)

How ISMS.online Helps

The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier.

You will also benefit from a variety of time-saving features.

If for any reason you experience a lack of confidence, ability or the drive to take action during your journey to ISO 27701, we can make our team of in-house experts available or recommend one of our trusted partners to give your efforts a boost.

Find out more by booking a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

Explore ISMS.online's platform with a self-guided tour - Start Now