Control area: 7.2 conditions for collection & processing.

The section within 27701 from 7 onwards look at guidance for both PII controllers and PII processors. 

The guidance for the collection and processing of PII suggests the following:

The organisation should fully understand the PII principles that are relevant and the lawful basis for processing. This of course will vary with jurisdiction, but in European countries the GDPR articles 6 – 12 will apply.

The guidance relating to this area also states that without clear statements relating to the purpose of collection, consent and choice cannot be provided.

As ISO / IEC 27701 is an international Standard the lawful basis for processing will vary from jurisdiction. This will need to be determined by the statutes or regulations in force where the entity operates.

The DPA 2018 details:

  • Consent
  • Contract
  • Compliance with legal obligations
  • Vital interests
  • Public interest
  • Legitimate interest

The guidance within 27002 suggests that the entity should define the basis for each processing activity of PII.

Special category data should be identified within a classification scheme, covering health or religious beliefs etc. The guidance also discusses that special category data can vary in its interpretation from one country to another so care should be taken with regards its categorisation.

For further information and to book your ISO 27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: [email protected]

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.