From time to time, the need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.
Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.
Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.
Organisations should keep a documented list of the countries and organisations that they could potentially transfer their PII to, under reasonable circumstances.
Once they’ve formulated a list, organisations should made the information available to their customers, including any subcontracted PII operations (see ISO 27701 Clause 7.5.1)
In certain circumstances – especially in the case of criminal investigations – confidentiality laws may prevent the organisation from revealing the identity of destination countries and organisations in advance (see ISO 27701 Clauses 8.5.4 and 8.5.5).
It’s vitally important that organisations keep an accurate record of PII transfers to third party organisations.
Organisations should be able to record PII that has been amended in any way (in line with the controllers obligations and objectives), or transfers that are required before enacting a request from the PII principal to change or erase the PII.
Records should be subject to a proportional retention period, and should be subject to data minimisation rules that return only that which is needed to fulfil a specific objective.
Organisations should log any disclosure of PII to third parties, including the following three pieces of information:
It’s standard practice to disclose PII for a variety of reasons, throughout an organisation’s information processing operation.
Logs should be made of disclosures that occur during normal business practices, and any special circumstances that arise (i.e. regulatory or legal investigations.
Various elements of ISO 27701 Clause 7.5 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | Associated GDPR Articles |
|---|---|---|
| 7.5.1 | Identify Basis for PII Transfer Between Jurisdictions | Articles (15), (44), (45), (46), (47), (49) |
| 7.5.2 | Countries and International Organisations to Which PII Can Be Transferred | Articles (15), (30) |
| 7.5.3 | Records of Transfer of PII | Article (30) |
| 7.5.4 | Records of PII Disclosure to Third Parties | Article (30) |
The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier.
You will also benefit from a variety of time-saving features.
We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
