ISO 27701:2025 Has Been Published
The updated ISO 27701:2025 standard was released in July 2025, replacing the 2019 edition. The content on this page relates to the 2019 edition, which remains valid during the transition period until October 2028.
ISO 27701 Clause 6.4.3: Termination and Role Change Compliance
ISO regards privacy protection roles as a fluid concept that needs continual consideration in the face of organisational change.
A significant part of this involves managing privacy-related risks when the organisation either terminates a relationship with personnel and/or contracts, or assigned job roles change that have the potential to impact PII.
What’s Covered in ISO 27701 Clause 6.4.3
ISO 27701 6.4.3 contains one sub-clause that deals solely with guidance related to how privacy protection may be affected when employment or supplier contracts either end, or change.
To achieve this, ISO 27701 6.4.3 leans heavily on information security guidance contained within ISO 27002 6.5.
ISO 27701 6.4.3 doesn’t contain any further guidance on how employment contracts and responsibilities may or may not affect the implementation and maintenance of a PIMS, nor are there any specific GDPR considerations to keep in mind.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 6.4.3.1 – Termination or Change of Employment Responsibilities
References ISO 27002 Control 6.5
When staff members are dismissed, or their job changes, organisations should ensure that privacy protection roles remain valid at all times.
It is vitally important to ensure that any privacy protection-related roles are transferred to another individual, when a staff member has left the organisation.
Organisations should also implement procedures that communicate role changes (and any associated operating procedures) to all relevant customers and suppliers.
As well as specific PII-related roles, additional measures may also include the protection of IP, confidentiality agreements, or any knowledge obtained that would warrant protection (see ISO 27002 6.6).
Any responsibilities that continue after termination of employment should be clearly outlined in employment contracts and/or mid-term agreements (see ISO 27002 6.2).
Organisations should use the same set of employee termination or role change procedures when dealing with third-party suppliers whose services are either no longer needed, or are in need of amendments.
Relevant ISO 27002 Controls
- ISO 27002 6.2
- ISO 27002 6.6
Supporting Controls From ISO 27002 and GDPR
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | ISO 27002 Requirement | Associated GDPR Articles |
|---|---|---|---|
| 6.4.3 | Termination and Change of Employment |
6.5 – Responsibilities After Termination Or Change Of Employment for ISO 27002 |
None |
How ISMS.online Helps
In order to achieve ISO 27701 you must build a Privacy Information Management System.
With our preconfigured PIMS you can quickly and easily organise and manage customer, supplier and staff information to fully comply with ISO 27701.
You can also accommodate the growing number of global, regional and sector-specific privacy regulations we support on the ISMS.online platform.
Find out more by booking a hands on demo.
