ISO 27701, Clause 8.4 – Privacy by Design and Privacy by Default

ISO 27701 Controls and Clauses Explained

Book a demo

close,up,on,hands,of,diverce,group,of,students,sitting

ISO 27701 clause 8.4 ensures that an organisation’s PII collecting and processing operations limit efforts to the minimum that’s required, in order to achieve a set of identified purposes.

ISO 27701 Clause 8.4.1 – Temporary Files

Purpose of Clause 8.4.1

Organisations need to ensure that temporary files are destroyed within a reasonable amount of time, in accordance with an official retention policy and clear deletion procedures.

Guidance on Clause 8.4.1

A simple way to identify the existence of such files is to perform periodic checks of temporary files across the network.

Organisations should adhere to a so-called garbage collection procedure that deletes temporary files when they’re no longer needed.

ISO 27701 Clause 8.4.2 – Return, Transfer or Disposal of PII

Purpose of Clause 8.4.2

Organisations need to have concrete plans in place that govern how PII can be returned, transferred or disposed of, and make all such policies available to the customer.

Guidance on Clause 8.4.2

There are various scenarios that require the disposal of PII, including (but not limited to):

  • Returning any PII to the customer.

  • Providing the PII to another organisation.

  • Destroying information.

  • De-identification.

  • Archiving.

Organisations need to provide categorical assurances that any PII which is no longer needed is going to be destroyed in accordance with any prevailing legislation or regional guidelines.

All disposal policies should be available to the customer on demand, and should cover the period of time that organisations have to destroy PII, once a contract has been terminated.

Jump to Topic
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

ISO 27701 Clause 8.4.3 – PII Transmission Controls

Purpose of Clause 8.4.3

Whenever the need arises for PII to be transmitted over a data network (including a dedicated link), organisations need to be preoccupied with ensuring that the PII reaches the correct recipients, in a timely manner.

Guidance on Clause 8.4.3

When transferring PII between data networks, organisations should:

  1. Ensure that only authorised individuals are able to perform the transfer.

  2. Stick to published procedures that govern the transfer of PII from the organisation to a third-party.

  3. Retain all audit data.

  4. Include transmission requirements in the customer’s contract.

  5. Consult with the customer prior to any transfer being undertaken, if no written or contractual stipulations exist.

Supporting GDPR Articles

Various elements of ISO 27701 Clause 8.4 are applicable within UK GDPR legislation. Take a look at the below table for the corresponding references.

ISO 27701 Clause IdentifierISO 27701 Clause NameAssociated GDPR Articles
8.4.1Temporary FilesArticle (5)
8.4.2Return, Transfer or Disposal of PIIArticles (28), (30)
8.4.3PII Transmission ControlsArticle (5)

How ISMS.online Helps

The ISMS.online platform offers integrated assistance at every stage, and our ‘Adopt, Adapt, Add’ implementation approach to ISO 27701, to make the process much easier. You will also benefit from a variety of time-saving features.

We’ve created a built-in risk bank and a range of other practical tools that’ll help with every part of the risk assessment and management process.

You’ll be ready when the worst happens. We make it easy to plan and communicate your breach workflow, and document and learn from each and every incident.

Find out more by booking a demo.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Unsure whether to build or buy?

Discover the best way to achieve ISMS success

Get your free guide

ISMS.online now supports ISO 42001 - the world's first AI Management System. Click to find out more