Control area: 8.4.2 Return, transfer & disposal of PII

Occasionally when data controllers end relationships with data processors disputes break out as to the ownership and return of PII.

Indeed prior to the GDPR agreements in place were often vague or ambiguous with regards to data return and ownership.

The data processor should provide adequate assurance to the data controller that every technical measure has been taken to delete the data if that is stipulated within the agreement. 

If data is to be returned if should be identified and appropriate procedures for transfer be adopted such as DMA (Direct Memory Access). The processing agreement in place between the data controller and processor should stipulate the transfer protocol. A certificate of completion might be issued providing assurances of transfer.

The methods used to include fall-back positions should be documented as in any IT change control procedure. Including any formal disk cleaning procedures.

Clear authorities and responsibilities should be determined within the processor agreement detailing the arrangements required.

It is important to ensure that any data transfers between different jurisdictions are correctly instigated otherwise unlawful processing of PII might occur.

For further information and to book your ISO 27701 survey please contact: Marcus J Allen at Thamer James Ltd. Email: marcus@thamerjames.co.uk

Marcus has twenty years’ experience in information security standards and has assisted numerous organisations in gaining registration to 27001. He holds a BSI 27001 lead auditor certificate and BSI qualifications in 27701. In addition, Marcus is Certified Data Protection Officer, GDPR practitioner qualified and a member of the National Association of Data Protection Officers.