ISO 27701 Clause 7.5.1 – Identify Basis for PII Transfer Between Jurisdictions
Purpose of Clause 7.5.1
From time to time, the need may arise to transfer PII between two distinct jurisdictions. When this occurs, organisations should justify and document the need for doing so.
Guidance on Clause 7.5.1
Regional regulatory and legal rules vary depending on where the data has originated from, and where it’s going to be transferred to.
Organisations should take all relevant laws, frameworks and regulations into account whenever they need to transfer data between jurisdictions, including the use of a designated supervisory authority.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 7.5.2 – Countries and International Organizations to Which PII Can Be Transferred
Purpose of Clause 7.5.2
Organisations should keep a documented list of the countries and organisations that they could potentially transfer their PII to, under reasonable circumstances.
Guidance on Clause 7.5.2
Once they’ve formulated a list, organisations should made the information available to their customers, including any subcontracted PII operations (see ISO 27701 Clause 7.5.1)
In certain circumstances – especially in the case of criminal investigations – confidentiality laws may prevent the organisation from revealing the identity of destination countries and organisations in advance (see ISO 27701 Clauses 8.5.4 and 8.5.5).
Relevant ISO 27701 Clauses
- ISO 27701 7.5.1
- ISO 27701 8.5.4
- ISO 27701 8.5.5
ISO 27701 Clause 7.5.3 – Identify Basis for PII Transfer Between Jurisdictions
Purpose of Clause 7.5.3
It’s vitally important that organisations keep an accurate record of PII transfers to third party organisations.
Guidance on Clause 7.5.3
Organisations should be able to record PII that has been amended in any way (in line with the controllers obligations and objectives), or transfers that are required before enacting a request from the PII principal to change or erase the PII.
Records should be subject to a proportional retention period, and should be subject to data minimisation rules that return only that which is needed to fulfil a specific objective.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
ISO 27701 Clause 7.5.4 – Records of PII Disclosure to Third Parties
Purpose of Clause 7.5.4
Organisations should log any disclosure of PII to third parties, including the following three pieces of information:
- What’s been disclosed.
- Who has the information been disclosed to.
- When the disclosure was made (date and time).
Guidance on Clause 7.5.4
It’s standard practice to disclose PII for a variety of reasons, throughout an organisation’s information processing operation.
Logs should be made of disclosures that occur during normal business practices, and any special circumstances that arise (i.e. regulatory or legal investigations).
Supporting GDPR Articles
Various elements of ISO 27701 Clause 7.5 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | Associated GDPR Articles |
|---|---|---|
| 7.5.1 | Identify Basis for PII Transfer Between Jurisdictions | Articles (15), (44), (45), (46), (47), (49) |
| 7.5.2 | Countries and International Organisations to Which PII Can Be Transferred | Articles (15), (30) |
| 7.5.3 | Records of Transfer of PII | Article (30) |
| 7.5.4 | Records of PII Disclosure to Third Parties | Article (30) |
How ISMS.online Helps
The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier.
You will also benefit from a variety of time-saving features.
We make data mapping a simple task. It’s easy to record and review it all, adding your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.
It’s easy to set up and run different kinds of privacy assessment, from data protection impact assessments to regulatory or compliance readiness ones.
Find out more by booking a demo.
