How to Meet GDPR Article 31 Compliance Requirements
GDPR Article 31 outlines the legal obligation that an organisation has to cooperate with the supervisory authority, whomever that may be.
GDPR Article 31 Legal Text
EU GDPR Version
Cooperation with the supervisory authority
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
UK GDPR Version
Cooperation with the commissioner
The controller and the processor and, where applicable, their representatives, shall cooperate, on request, with the Commissioner in the performance of the Commissioner’s tasks.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 5.2.2 (Understanding the Needs and Expectations of Interested Parties) and EU GDPR Article 31
PII and privacy protection has the potential to impact a large number of employees, users, customers, both internally and externally.
Organisations need to gain a firm understanding of the needs of any affected personnel and what ISO deems as ‘interested parties’.
Organisation’s need to establish and document:
- Any ‘interested parties’ that are relevant the broader topic of privacy protection.
- What the unique requirements are of said individuals within the scope of a PIMS.
Organisations should also take into account any legal, regulatory or contractual obligations, alongside practical and operational requirements.
When implementing a PIMS, organisations need to map out a list of interested parties that are either affected by a PIMS, or have a role to play in processing PII.
Where PII is concerned, an interested party could be one of the following (but not limited to):
- An employee.
- A customer.
- Regulatory, judicial or supervisory authorities.
- Other PII controllers and processors.
It’s important to note that PII requirements – as related to a PIMS – often emanate from a wide range of sources, including:
- Internal processes and goals.
- Governmental and/or regulatory bodies.
- Contractual obligations with third-party organisations.
It can often be difficult for governing and regulatory organisations to confirm adherence to published privacy protection standards on the part of an organisation, in its role as a PII processor and controller.
As such, organisations need to expect such bodies to call for independent reviews of any relevant Management System, in order to satisfy their own auditing requirements.
Index of Linked EU GDPR Articles and ISO 27701 Clauses
| GDPR Article | ISO 27701 Clause | ISO 27701 Supporting Clauses |
|---|---|---|
| EU GDPR Article 31 | ISO 27701 5.2.2 | None |
How ISMS.online Helps
GDPR is one of the world’s toughest privacy and security regulations, with significant fines for violations. Accordingly, organisations are required to protect personal data in a ‘reasonable’ manner.
But here’s the good news.
ISMS.online helps you demonstrate a level of protection that exceeds ‘reasonable’ in a secure, always-on location.
Data mapping made easy.
We make data mapping a simple task. By adding your organisation’s details to our preconfigured dynamic Records of Processing Activity tool, you can easily record and review it all.
If the worst happens, you’ll be ready.
With our tools, you can plan, communicate, document, and learn from every breach.
Find out more by booking a 30 minute demo.
