Adherence to ISO 27701 clause 8.2 ensures that organisations are acting lawfully when collecting and processing PII, and are in alignment with any prevailing laws or regulatory stipulations wherever they process PII.
Contracts dealing with the processing of PII should be drawn up that address the organisation’s need to provide assistance to the customer, and their obligations.
Contracts should include:
From the outset, PII should only ever be processed in accordance with the customer’s instructions.
Contracts should include SLAs relating to mutual objectives, and any associated time scales that they need to be completed within.
Organisations should acknowledge their right to choose the distinct methods that are used to process PII, that lawfully achieve what the customer is looking for, but without the need to obtain granular permissions on how the organisation goes about it on a technical level.
Organisations need to obtain permission from the PII principle before utilising any data provided for marketing or advertising purposes, and ensure that acceptance of such a use is not a prerequisite to PII being processed.
Marketing and advertising stipulations should be clearly documented in any contracts or service agreements, in line with the above purpose.
Organisations should seek ‘express consent’ that is based upon a transparent and up-to-date representation of how PII is to be used.
Organisations need to be vocal about any processing instruction from the customer that contravenes any laws or regulations.
Organisations need to maintain a thorough working understanding of how instructions have the potential to conflict with applicable legislation or regulatory obligations.
Infringements usually occur surrounding three factors.
Organisations need to be able to provide their customers with sufficient information, so that that customers are able to fulfil their obligations at any given time.
The required information can incorporate a wide range of functions, but is usually related to internal audits, and the organisation’s role in facilitating them through the supply of information.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Organisations should keep accurate and up-to-date records that allow them, at any given time, to evidence compliance with any contractual obligations related to the processing of PII.
Depending on the jurisdiction, records may need to include:
Various elements of ISO 27701 Clause 8.2 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | Associated GDPR Articles |
|---|---|---|
| 8.2.1 | Customer Agreement | Articles (28), (35) |
| 8.2.2 | Organisation’s Purposes | Articles (5), (28), (29), (32) |
| 8.2.3 | Marketing and Advertising Use | Article (7) |
| 8.2.4 | Infringing Instruction | Article (28) |
| 8.2.5 | Customer Obligations | Article (28) |
| 8.2.6 | Records Related to Processing PII | Article (30) |
The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier. You will also benefit from a variety of time-saving features.
We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
You’ll need to show how well you manage Data Subject Rights Requests (DRR). Our secure DRR space keeps it all in one place, supporting it with automated reporting and insight.
It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
