ISO 27701:2025 Has Been Published
The updated ISO 27701:2025 standard was released in July 2025, replacing the 2019 edition. The content on this page relates to the 2019 edition, which remains valid during the transition period until October 2028.
Ensuring Privacy by Design and Privacy by Default in ISO 27701 Clause 8.4
ISO 27701 clause 8.4 ensures that an organisation’s PII collecting and processing operations limit efforts to the minimum that’s required, in order to achieve a set of identified purposes.
ISO 27701 Clause 8.4.1 – Temporary Files
Purpose of Clause 8.4.1
Organisations need to ensure that temporary files are destroyed within a reasonable amount of time, in accordance with an official retention policy and clear deletion procedures.
Guidance on Clause 8.4.1
A simple way to identify the existence of such files is to perform periodic checks of temporary files across the network.
Organisations should adhere to a so-called garbage collection procedure that deletes temporary files when they’re no longer needed.
ISO 27701 Clause 8.4.2 – Return, Transfer or Disposal of PII
Purpose of Clause 8.4.2
Organisations need to have concrete plans in place that govern how PII can be returned, transferred or disposed of, and make all such policies available to the customer.
Guidance on Clause 8.4.2
There are various scenarios that require the disposal of PII, including (but not limited to):
- Returning any PII to the customer.
- Providing the PII to another organisation.
- Destroying information.
- De-identification.
- Archiving.
Organisations need to provide categorical assurances that any PII which is no longer needed is going to be destroyed in accordance with any prevailing legislation or regional guidelines.
All disposal policies should be available to the customer on demand, and should cover the period of time that organisations have to destroy PII, once a contract has been terminated.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
ISO 27701 Clause 8.4.3 – PII Transmission Controls
Purpose of Clause 8.4.3
Whenever the need arises for PII to be transmitted over a data network (including a dedicated link), organisations need to be preoccupied with ensuring that the PII reaches the correct recipients, in a timely manner.
Guidance on Clause 8.4.3
When transferring PII between data networks, organisations should:
- Ensure that only authorised individuals are able to perform the transfer.
- Stick to published procedures that govern the transfer of PII from the organisation to a third-party.
- Retain all audit data.
- Include transmission requirements in the customer’s contract.
- Consult with the customer prior to any transfer being undertaken, if no written or contractual stipulations exist.
Supporting GDPR Articles
Various elements of ISO 27701 Clause 8.4 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.
| ISO 27701 Clause Identifier | ISO 27701 Clause Name | Associated GDPR Articles |
|---|---|---|
| 8.4.1 | Temporary Files | Article (5) |
| 8.4.2 | Return, Transfer or Disposal of PII | Articles (28), (30) |
| 8.4.3 | PII Transmission Controls | Article (5) |
How ISMS.online Helps
The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier. You will also benefit from a variety of time-saving features.
We’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.
You’ll be ready when the worst happens. We make it easy to plan and communicate your breach workflow, and document and learn from each and every incident.
Find out more by booking a demo.
