ISO 27701, Clause 8.2 – Conditions for Collection and Processing

ISO 27701 Controls and Clauses Explained

Book a demo

young,business,colleagues,working,in,a,busy,open,plan,office

Adherence to ISO 27701 clause 8.2 ensures that organisations are acting lawfully when collecting and processing PII, and are in alignment with any prevailing laws or regulatory stipulations wherever they process PII.

ISO 27701 Clause 8.2.1 – Customer Agreement

Purpose of Clause 8.2.1

Contracts dealing with the processing of PII should be drawn up that address the organisation’s need to provide assistance to the customer, and their obligations.

Guidance on Clause 8.2.1

Contracts should include:

  • The concept of ‘privacy by design’ (see ISO 27701 Clauses 7.4 and 8.4).
  • How the organisation intends to achieve security of processing.
  • How breaches are to be reported, including customer, principals and regulatory authorities.
  • How Privacy Impact Assessments are to be dealt with.
  • Confirmation of the organisation’s intention to provide assistance to PII protection authorities.

Relevant ISO 27701 Clauses

  • ISO 27701 7.4
  • ISO 27701 8.4

ISO 27701 Clause 8.2.2 – Organization’s Purposes

Purpose of Clause 8.2.2

From the outset, PII should only ever be processed in accordance with the customer’s instructions.

Guidance on Clause 8.2.2

Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.

Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 8.2.3 – Marketing and Advertising Use

Purpose of Clause 8.2.3

Organisations need to obtain permission from the PII principle before utilising any data provided for marketing or advertising purposes, and ensure that acceptance of such a use is not a prerequisite to PII being processed.

Guidance on Clause 8.2.3

Marketing and advertising stipulations should be clearly documented in any contracts or service agreements, in line with the above purpose.

Organisations should seek ‘express consent’ that is based upon a transparent and up-to-date representation of how PII is to be used.

ISO 27701 Clause 8.2.4 – Infringing Instruction

Purpose of Clause 8.2.4

Organisations need to be vocal about any processing instruction from the customer that contravenes any laws or regulations.

Guidance on Clause 8.2.4

Organisations need to maintain a thorough working understanding of how instructions have the potential to conflict with applicable legislation or regulatory obligations.

Infringements usually occur surrounding three factors.

  1. How technology is being used.
  2. The premise of the instruction.
  3. Any contractual obligations.

ISO 27701 Clause 8.2.5 – Customer Obligations

Purpose of Clause 8.2.5

Organisations need to be able to provide their customers with sufficient information, so that that customers are able to fulfil their obligations at any given time.

Guidance on Clause 8.2.5

The required information can incorporate a wide range of functions, but is usually related to internal audits, and the organisation’s role in facilitating them through the supply of information.

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 8.2.6 – Records Related to Processing PII

Purpose of Clause 8.2.6

Organisations should keep accurate and up-to-date records that allow them, at any given time, to evidence compliance with any contractual obligations related to the processing of PII.

Guidance on Clause 8.2.6

Depending on the jurisdiction, records may need to include:

  • Categorical lists of processing, on a customer-by-customer basis.
  • Any data transfers to other countries or international organisations.
  • Technical security controls.

Supporting GDPR Articles

Various elements of ISO 27701 Clause 8.2 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.

ISO 27701 Clause IdentifierISO 27701 Clause NameAssociated GDPR Articles
8.2.1Customer AgreementArticles (28), (35)
8.2.2Organisation’s PurposesArticles (5), (28), (29), (32)
8.2.3Marketing and Advertising UseArticle (7)
8.2.4Infringing InstructionArticle (28)
8.2.5Customer ObligationsArticle (28)
8.2.6Records Related to Processing PIIArticle (30)

How ISMS.online Helps

The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier. You will also benefit from a variety of time-saving features.

We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

You’ll need to show how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.

It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.

Find out more by booking a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

Streamline your workflow with our new Jira integration! Learn more here.