ISO 27701 and Conformance with Privacy Information Management (Part 4)
As previously discussed, ISO/IEC 27701 is a comprehensive international standard that provides specific privacy guidelines for organizations attempting to meet additional standards for handling PII in line with jurisdictions like GDPR. This document aligns ISO-compliant organizations with PII-focused standards by implementing Privacy Information Management Systems (PIMS).
So far, we’ve covered how ISO 27701 refines ISO 27001 and ISO 27002 guidelines to emphasize handling PII and those specific to data controllers. In this final blog post of our series, we will look closely at Section 8 of ISO 27701 and explore specific guidelines for processors handling PII.
Specifying Processors Under GDPR
In our last post, we described data controllers as the entity that determines the purposes, conditions, and means of processing PII.
A processor, on the other hand, is defined as an entity that processes personal data on behalf of the controller. The processor is the “agent” of the controller in that they handle the actual data processing for that organization.
There’s a bit of overlap between the two, depending on the situation. A logical breakdown of how GDPR may govern these entities looks like this:
- Controllers make decisions about how to collect and process PII. They are the decision-makers and, as such, have specific responsibilities under GDPR law.
- Processors process data for the controllers. As such, they have specific obligations under GDPR that are slightly more restricted than a controller.
- Controllers can also be processors, in that an organization that collects data may also process that data, in which case different processes will be governed by additional requirements depending on whether they are a controller or a processor’s responsibility.
- Processors can also be controllers in that a processing organization may make decisions about processing PII or have agreements with third-party vendors for IT infrastructure.
It’s important to note that controllers and processors are subject to the provisions of the GDPR and can be held liable for any non-compliance with the regulation. Controllers and processors must also enter into a written agreement specifying their responsibilities and obligations under the GDPR.
Additional Guidance for PII Processors
The fourth and final section of ISO 27701 addresses specific guidance pertaining to PII processors. These standards address guidance outside of the application of ISO 27001 and ISO 27002, especially those that apply to PII processors.
There are some overlapping expectations between processors and controllers, but the following points address those pertaining to organizations that would be designated only as processors by governing regulations like GDPR.
Conditions for Collection and Processing
The majority of conditions that processors must meet apply to their obligations to their “customers”… that is, controllers that hire the processing organization.
- Customer Agreement: When processors are working with controllers to process PII, they should have documented processes in place where necessary to address how the processor helps the controller meet their regulatory obligations. This documentation should be part of the contract between the controller and processor.
- Organization’s Purpose: Any PII processing must be done per the controller’s agreement based on explicit instructions from that customer.
- Marketing and Advertising Use: Processors must not use data processed in a controller agreement for marketing or advertising unless they receive that consent from the controller. Furthermore, the processor cannot make marketing use of PII a condition of any contract.
- Infringing Instruction: If the controller provides instructions that infringe on regulations that apply to either the processor or controller, the processor should inform the controller of that fact.
- Customer Obligations and Record Keeping: Processors must provide customers (controllers) with the information required by both the controller and the processor to demonstrate compliance.
Obligations to PII Principles
A processor should be able to provide information on how a controller can meet its obligations to PII principals. This includes the demonstration of the controls that they have in place to meet the specific needs of the controller as related to PII principles.
Privacy by Design and by Default
Privacy by design and default is a general principle that states that any software or hardware system that handles PII is designed to ensure the privacy of PII and that settings are such that privacy is the default configuration.
- Temporary Files: Any temporary files (logs, file system roll-back journals) created from processing PII are disposed of, and these processes are documented.
- Return, Transfer, or Disposal of PII: Processors must be able to transfer or dispose of PII securely. They should also be able to return data to the controller upon request.
- PII Transmission Controls: any PII that is transmitted over networks must utilize systems protected with proper controls to ensure that only authorized users access that data. Requirements for these controls should be provided as a part of the controller’s contract.
PII Sharing, Transfer, and Disclosure
Any data transmission outside of the customer relationship (specifically those to outside parties) has its guidelines.
- Transfer Between Jurisdictions: If a processor transfers PII to another jurisdiction, they must inform the controller promptly so that the controller may object. The processor must include their reasoning for the transfer or the basis on which it is required or acceptable.
- Transfer to Foreign Countries and International Organizations: Processors must provide their controllers with an updated list of all countries and international organizations where they may transfer PII as part of their operations.
- Recording Disclosure to Third Parties: Any disclosures made during normal operations must be documented and reported to the controller. This reporting must include what data has been disclosed, to who, and when. This includes notifications of any disclosure requests, such as those from law enforcement.
- Legally-Binding PII Disclosures: Processors should, out of hand, reject unlawful disclosure requests and consult with the controller about whether or not disclosure was appropriate. If the controller authorizes the disclosure, the processor should accept it.
- Disclosure of Subcontractors: Processors should disclose to their customers the use of any subcontractors used to process PII. This can include any outsourced infrastructure or managed services.
Stay Ahead of Evolving ISO Requirements with Lazarus Alliance
The ISO 27701 standard is intended to help organizations already implementing their ISMS program adjust and refine for the challenges of regulations like GDPR and CCPA. While some of these refinements are relatively straightforward, it’s crucial to understand how those changes result in a unique PIMS infrastructure.
Are you looking to apply ISO 27701 standards to your organization? Contact Lazarus Alliance.