ISO 27701 clause 8.5 outlines an organisation’s objectives whenever PII is set to be transferred to or disclosed to other countries, organisations and subcontractors.
Whenever PII is to be transferred between jurisdictions, organisations need to inform the customer of the underlying need to do so, in a timely manner.
PII transfer regulations can vary from region to region, depending on where the data is being transferred to and from.
Transfer destinations can include:
Organisations should give the customer adequate notice of any transfers, so that objections may be raised and, in certain circumstances, termination requests can be made.
Organisations don’t always need to inform customers of changes to their data transfer arrangements, but contracts should clearly outline the circumstances in which they do need to offer advance warning.
When transferring PII to another country, organisations should consider official mechanisms, such as:
Organisations should keep an accurate, up-to-date list of any countries or organisations where PII has the potential to be transferred to.
Customers should be able to view a list of potential recipient countries and organisations at any given time, including a log of all countries involved in PII subcontracting (see ISO 27701 clause 8.5.1).
In certain circumstances, organisations will not always be able to divulge in advance where transfer requests have originated from – particularly involving cases of criminal proceedings. This is unavoidable, and it should be the organisation’s priority to uphold the integrity of a law enforcement operation (see ISO 27701 clauses 7.5.1, 8.5.4 and 8.5.5).
Organisations should meticulously record any instances of them needing to disclose PII to a third party.
Whenever PII is disclosed – either as part of standard business routines or in special circumstances, such as an ongoing legal or regulatory process – organisations should record what’s been disclosed, the recipient, and the underlying reason for doing so.
Whenever a legally-binding request is made for the organisation to disclose PII, where allowed, the organisation should inform the PII principal of the request.
Organisations should draft a procedure that governs how PII principals are notified of legally-binding third party requests for their information, including a reasonable timeframe and a contractual stipulation that outlines the entire process.
Above all, organisations need to comply with the requests of law enforcement agencies, who have the right to request that the customer is not notified of any request, and ensure they don’t break any laws by accidentally or wilfully informing the customer of the situation.
Book a tailored hands-on session
based on your needs and goals
Book your demo
Organisations should immediately object to any PII disclosure request that is in contravention of prevailing data security laws, or are in any way not legally binding.
PII principals should be consulted before the organisation discloses any PII-related information, and organisations should adhere to contractual terms that outline what disclosures are allowed, from the customer’s perspective.
Contracts need to be specific in what they regard as a lawful request, in addition to any that are authorised by the customer, including those that originate from:
Before engaging with any subcontractors that are required to process PII, the organisation should disclose the details of the relationship first, before allowing the subcontractor to carry out their duties.
All provisions for the use of subcontractors should be listed as such within the SLA/customer contract.
Information on subcontractors should include:
NDAs should be drafted to disclose any information that would represent a heightened security risk if publicly exposed.
The only time it is acceptable to subcontract PII processing activities, is alongside the stipulations contained within a contractual agreement.
Organisations need to obtain written approval from their customers, prior to any PII being processed by a third party organisation.
Subcontractors should be subject a binding agreement (usually in the form of a written contract), which ensures that subcontractors understand their obligations towards implementing the controls listed in ISO 27701 Annex B.
Contracts should take into account various risk assessment processes (see ISO 27701 clause 5.4.1.2), and the entire scope of the organisation’s PII processing operation (see ISO 27701 clause 6.12). As above, all controls listed in Annex B should be adhered to, with any omissions listed, alongside the justifications for doing so.
We can’t think of any company whose service can hold a candle to ISMS.online.
Whenever the need arises to change the way that the organisation outsources any element of its PII processing operation, customers should be informed of the changes well in advance in order to give them time to question or object to said changes.
Contracts should include clauses that cater for written authorisation from the customer to go ahead with the change, before any PII is processed.
Organisations may also seek approval for changes within ad-hoc written agreements, outside of any contractual terms.
Various elements of ISO 27701 Clause 8.5 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | Associated GDPR Articles |
|---|---|---|
| 8.5.1 | Basis for PII Transfer Between Jurisdictions | Articles (44), (46), (48), (49) |
| 8.5.2 | Countries and International Organisations to Which PII Can Be Transferred | Article (30) |
| 8.5.3 | Records of PII Disclosure to Third Parties | Article (30) |
| 8.5.4 | Notification of PII Disclosure Requests | Article (28) |
| 8.5.5 | Legally Binding PII Disclosures | Article (48) |
| 8.5.6 | Disclosure of Subcontractors Used to Process PII | Article (28) |
| 8.5.7 | Engagement of a Subcontractor to Process PII | Article (28) |
| 8.5.8 | Change of Subcontractor to Process PII | Article (28) |
At ISMS.online, we make documenting your privacy information management system easier for your organisation. We provide you with a logical, usable, cloud-based information management interface that will help your organisation check its privacy processes and progress against the ISO 27701 / PIMS standard.
Our cloud-based platform allows you to access all your PIMS resources in one place.
You can use our easy-to-use platform to document everything you need to show that you meet the requirements of ISO 27701. Our Assured Results Method (ARM) demystifies the requirements of ISO 27701 and gives you confidence as you progress towards the attainment of certification.
We have an in-house team of information security experts who can provide guidance and answer questions to help you on your way to ISO 27701 certification.
Find out more by booking a demo.
Book a tailored hands-on session
based on your needs and goals
Book your demo
