Organisations need to first establish and then fully document their legal, regulatory and business obligations to PII principals.
Organisations should provide what ISO deem as the ‘appropriate means’ to meet the needs of PII principals, including transparent documentation and a designated point of contact.
NB. Contact methods should be identical to the ways in which the organisation collects PII.
Organisations need to outline and document the information that PII principals receive, relating to the processing of PII.
Organisations should outline a categorical set of requirements that dictate when information is to be provided to PII principals, and what that information is, for example:
Organisations need to provide ‘clear and accessible’ information that established who the PII controller is, and how it’s processed.
All information should be provided error-free, and in language that is easily understood (e.g. lacking jargon, not overly technical) by the people who have the ability to read it (see ISO 27702 clause 7.3.2).
PII subjects need to be provided with a means to withdraw consent for the collection or processing of PII.
On a basic level, organisations need to provide a mechanism that outlines the rights of any PII principal who wishes to withdraw consent, along with instructions on how to do so that are in alignment with the methods used to collect PII (e.g. email, telephone).
PII principals should also be able to ‘modify’ consent – i.e. restricting the controller from performing certain actions, such as deleting PII. Such requests should be documented in accordance with procedures for the removal of consent.
Organisations should commit to a published response time for all modification or withdrawal of consent requests.
PII principals need to be given the ability to raise objections over the processing of their PII.
Laws vary from region to region, but some jurisdictions provide PII principals with the right to raise an objection regarding the processing of their PII.
Organisations should approach this function in two ways:
Book a tailored hands-on session
based on your needs and goals
Book your demo
Organisations should draft, document and implement procedures that allow PII principals to access, correct and/or delete their PII.
Procedures should include mechanisms through which the PII principal is able to perform the above action, including how the organisation is to inform the principal if corrections aren’t able to be made.
Organisations should commit to a published response time for all access, correction or deletion requests.
It’s vitally important to communicate any such requests to third parties that have been transferred PII (see ISO 27701 clause 7.3.7).
A PII principal’s ability to request corrections or deletions is dictated by the jurisdiction that the organisation operates in. As such, companies should keep themselves abreast of any legal or regulatory changes that govern their obligations towards PII.
From time to time, the need may arise to share PII with third parties (using the appropriate channels).
Organisations need to inform such companies of any requests for modification, withdrawal of consent or objections relating to any PII that’s been shared.
Organisations should use the appropriate technical channels to ensure that third parties are informed quickly and accurately, and in-line with any regional legal or regulatory requirements.
Where possible, organisations should delegate this function to a dedicated individual, and take steps to ensure that such requests have been acknowledged.
It is vitally important that organisations are able to provide, upon request, a copy of any PII that’s been processed.
ISO requires organisations to provide a copy of the PII in a user-friendly format that is easily accessible by the PII principal.
Organisations should take great care to ensure that any information provided relates solely to the PII principal who requested it.
PII identification laws vary from region to region, but if the PII has undergone a de-identification process then the organisations should not attempt to re-identify, unless legally required to do so.
Organisations should also explore methods of transferring the PII directly to another organisation, if requested to do so.
Organisations need to abide by a concrete set of procedures that govern how they should respond to requests from PII principals.
Requests can range from (but are not limited to) a copy of the PII, or the filing of a complaint, and should be processed within a published response time, that takes into account the nature of the request.
Depending on the jurisdiction, organisations may also charge a handling fee, but this is usually limited to excessive or repetitive requests.
Organisations should address any legal obligations to PII principals that relate to the automated processing of PII.
Organisations should take into account jurisdictional variances in automated decision making regarding PII – more specifically, allowing PII principals to object and requesting human intervention in place of automated procedures.
Various elements of ISO 27701 Clause 7.3 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | Associated GDPR Articles |
|---|---|---|
| 7.3.1 | Determining and Fulfilling Obligations to PII Principals | Article (12) |
| 7.3.2 | Determining Information for PII Principals | Articles (11), (13), (14), (15), (18), (21) |
| 7.3.3 | Providing Information to PII Principals | Articles (11), (12), (13), (21) |
| 7.3.4 | Providing Mechanism to Modify or Withdraw Consent | Articles (7), (13), (14), (18) |
| 7.3.5 | Providing Mechanism to Object to PII Processing | Articles (13), (14), (21) |
| 7.3.6 | Access, Correction And/or Erasure | Articles (5), (13), (14), (16), (17) |
| 7.3.7 | PII Controllers’ Obligations to Inform Third Parties | Article (19) |
| 7.3.8 | Providing Copy of PII Processed | Articles (15), (20) |
| 7.3.9 | Handling Requests | Articles (12), (15) |
| 7.3.10 | Automated Decision Making | Articles (13), (14), (22) |
The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier.
You will also benefit from a variety of time-saving features.
If for any reason you experience a lack of confidence, ability or the drive to take action during your journey to ISO 27701, we can make our team of in-house experts available or recommend one of our trusted partners to give your efforts a boost.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
