ISO 27701, Clause 7.5 – PII Sharing, Transfer, and Disclosure

ISO 27701 Controls and Clauses Explained

Book a demo

close,up.,businessman,typing,on,a,laptop.

ISO 27701 Clause 7.5.1 – Identify Basis for PII Transfer Between Jurisdictions

Purpose of Clause 7.5.1

From time to time, the need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.

Guidance on Clause 7.5.1

Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.

Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.

ISO 27701 Clause 7.5.2 – Countries and International Organizations to Which PII Can Be Transferred

Purpose of Clause 7.5.2

Organisations should keep a documented list of the countries and organisations that they could potentially transfer their PII to, under reasonable circumstances.

Guidance on Clause 7.5.2

Once they’ve formulated a list, organisations should made the information available to their customers, including any subcontracted PII operations (see ISO 27701 Clause 7.5.1)

In certain circumstances – especially in the case of criminal investigations – confidentiality laws may prevent the organisation from revealing the identity of destination countries and organisations in advance (see ISO 27701 Clauses 8.5.4 and 8.5.5).

Relevant ISO 27701 Clauses

  • ISO 27701 7.5.1
  • ISO 27701 8.5.4
  • ISO 27701 8.5.5
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 7.5.3 – Identify Basis for PII Transfer Between Jurisdictions

Purpose of Clause 7.5.3

It’s vitally important that organisations keep an accurate record of PII transfers to third party organisations.

Guidance on Clause 7.5.3

Organisations should be able to record PII that has been amended in any way (in line with the controllers obligations and objectives), or transfers that are required before enacting a request from the PII principal to change or erase the PII.

Records should be subject to a proportional retention period, and should be subject to data minimisation rules that return only that which is needed to fulfil a specific objective.

ISO 27701 Clause 7.5.4 – Records of PII Disclosure to Third Parties

Purpose of Clause 7.5.4

Organisations should log any disclosure of PII to third parties, including the following three pieces of information:

  • What’s been disclosed.
  • Who has the information been disclosed to.
  • When the disclosure was made (date and time).

Guidance on Clause 7.5.4

It’s standard practice to disclose PII for a variety of reasons, throughout an organisation’s information processing operation.

Logs should be made of disclosures that occur during normal business practices, and any special circumstances that arise (i.e. regulatory or legal investigations.

Supporting GDPR Articles

Various elements of ISO 27701 Clause 7.5 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.

ISO 27701 Clause IdentifierISO 27701 Clause NameAssociated GDPR Articles
7.5.1Identify Basis for PII Transfer Between JurisdictionsArticles (15), (44), (45), (46), (47), (49)
7.5.2Countries and International Organisations to Which PII Can Be TransferredArticles (15), (30)
7.5.3Records of Transfer of PIIArticle (30)
7.5.4Records of PII Disclosure to Third PartiesArticle (30)

How ISMS.online Helps

The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier.

You will also benefit from a variety of time-saving features.

We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.

Find out more by booking a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

Explore ISMS.online's platform with a self-guided tour - Start Now