Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Learn more about the connected frameworks

A.7.3.10
ISO 27701

Automated decision making

Other tasks from the same security theme

Documentation of personal data processing purposes for data stores

Critical
High
Normal
Low

Processing of personal data is only lawful if one of the legal bases set out in the General Data Protection Regulation is met. The organization must be able to communicate the purpose of the processing and the legal basis to the data subject and, where appropriate, to the supervisory authority.

The documentation shall include at least:

  • the legal basis for the processing and the necessary additional information
  • the parties to whom the processing has been outsourced
  • related data sets
6. Lawfulness of processing
GDPR
18.1.4: Privacy and protection of personally identifiable information
30. Records of processing activities
GDPR
A.7.2.2: Identify lawful basis
ISO 27701
A.7.2.8: Records related to processing PII
ISO 27701

Records of processing activities -report publishing and maintenance

Critical
High
Normal
Low

Records of processing activities is a written description of the processing of personal data by the organization.

This report is mandatory if any of the following occurs:

  • the organization has more than 250 employees
  • the processing of personal data is not incidental
  • the processing of personal data is likely to pose a risk to the data subject's rights and freedoms
  • the personal data processed contain special categories of data or personal data relating to criminal convictions and offenses

Records must be kept up to date. They also serve as a first-level way of assessing the lawfulness of processing, so it must be provided to the supervisory authority on request.

In Cyberday, records of processing activities is an own report, which is automatically gathered from the data on documentation sections.

30. Records of processing activities
GDPR
A.7.2.8: Records related to processing PII
ISO 27701

Personnel guidelines for safe processing of personal and confidential data

Critical
High
Normal
Low

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
18.1.4: Privacy and protection of personally identifiable information
12.1.1: Documented operating procedures
ISO 27001
11.2.8: Unattended user equipment
ISO 27001

Data store listing and owner assignment

Critical
High
Normal
Low

Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.

Data store documentation must include at least:

  • Connected responsibilities
  • Data processing purposes (covered in a separate task)
  • Data sets included in the data store (covered in a separate task)
  • Data disclosures (covered in a separate task)
  • When necessary, data stores connections to action processes
2 luku, 5 §: Tiedonhallintamalli ja muutosvaikutuksen arviointi
6. Lawfulness of processing
GDPR
5. Principles relating to processing of personal data
GDPR
8.1.1: Inventory of assets
ISO 27001
ID.GV-4: Processes
NIST CSF

Collection and documentation of explicit consents

Critical
High
Normal
Low

The organization has identified the purposes of use of personal data where explicit consent is required as the legal basis for processing. In addition, the organization has defined methods for documenting the explicit consents received.

Explicity refers to the unequivocal way in which the data subject expresses his consent. Such consent can be given e.g. by traditional signature of the statement, electronic signature or acknowledgment after two-step identification.

Situations requiring specific identification may include e.g.

  • Special personal data (e.g. health data) processing
  • Data transferred to third countries (when other transfer criteria according to the GDPR cannot be met)
  • Automatic decision-making or profiling
No items found.

Informing of infringing processing instructions

Critical
High
Normal
Low

It is the responsibility of the organization to notify the customer if the processing instructions seem to violate laws or official requirements.

A.8.2.4: Infringing instruction
ISO 27701

Restriction of processing for personal data processed on behalf of a customer

Critical
High
Normal
Low

When an organization offers e.g. digital services to its customer, the contract between the organization and the customer must specify e.g. the goal of the service and the schedule related to its delivery.

The organization must ensure that personal data processed on behalf of the customer is processed only for the purposes stated in the customer's written instructions.

The customer must also be offered the opportunity to verify the organization's operation in relation to the instructions. This ensures that the organization and its subcontractors process personal data only for the purposes indicated by the customer.

A.8.2.2: Organization's purposes
ISO 27701

Limiting marketing and advertising use of personal data processed under a contract

Critical
High
Normal
Low

The organization should ensure that personal data processed on a contractual basis is not used for marketing or advertising unless there is prior consent from the data subject.

Consent to marketing and advertising cannot be used as a condition for receiving the service.

A.8.2.3: Marketing and advertising use
ISO 27701

Consent condition review

Critical
High
Normal
Low

The organization must regularly review its way of collecting consent from data subjects to ensure that the consent is unambiguous and precise.

A.7.2.4: Obtain and record consent
ISO 27701

Process for safe destruction of temporary files and data from data systems

Critical
High
Normal
Low

Each data system can create temporary files during its normal operations. These can include e.g. roll-back journals or temporary files associated with updates.

Organisation should have documented a certain time period and process, how temporary files and documents must be destroyed. Organisation should also define procedures for recognizing relevant files that are temporary and not used for any operation by the data system anymore.

Data systems used for processing personal data should have a periodic reviewing process to identify unused temporary data for destruction.

A.5: Data minimization
ISO 27018
A.5.1: Secure erasure of temporary files
ISO 27018
A.8.4.1: Temprorary files
ISO 27701

Getting a proper consent for potential commercial utilization purposes of customer-owned data

Critical
High
Normal
Low

Personal data processed under a contract, e.g. when offering a cloud service for a customer, are not to be used for marketing or advertising purposes without a clear consent from the customer that controls the data.

This consent can’t be e.g. demanded as a prerequisite for being able to utilize the offered cloud service.

This requirement is in line with general personal data processing requirements, where all personal data processing must have a clear legal basis. Potential processing must be documented normally.

A.3.2: Public cloud PII processor's commercial use
ISO 27018

Purpose limitation of processed, customer-owned data in offered cloud services

Critical
High
Normal
Low

Personal data in offered cloud services that is processed under a contract can not be processed for any other purpose or differently from customers instructions.

Customer instructions for the data processor can be contained in the contract between the cloud service provider and customer including, e.g. the objective and probable time frame of the service.

A.3.1: Public cloud PII processor’s purpose
ISO 27018

Documentation of conditions of consent for relevant processing purposes

Critical
High
Normal
Low

If our organization processes personal data based on the consent of the data subject, we must ensure that the conditions for consent are met. The conditions for lawful consent are:

  • The controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data
  • The request for consent must be clearly separated from other matters in an easily comprehensible form
  • The data subject may withdraw her consent at any time and has been instructed to do so before giving her consent
  • Withdrawal of consent must be as easy as giving it

The Data Protection Officer may be responsible for assessing the conditions of consent. It is also important to consider, whether consent is generally appropriate as a legal basis for the corresponding processing.

7. Conditions for consent
GDPR
17. Right to erasure (‘right to be forgotten’)
GDPR
A.7.2.3: Determine when and how consent is to be obtained
ISO 27701
A.7.2.4: Obtain and record consent
ISO 27701
A.7.3.4: Providing mechanism to modify or withdraw consent
ISO 27701

Implementation and documentation of balance tests

Critical
High
Normal
Low

One of the legal grounds for lawful processing of personal data is the implementation of the data controller or a third party's legitimate interests. To determine when a legitimate interest is justified, a so-called balance test is done to weigh controller or a third party interest against the basic rights of the data subject.

When our processing based on a legitimate interest, we document the implementation of the balancing test and its results so that, if necessary, we can demonstrate that our operations comply with GDPR.

6. Lawfulness of processing
GDPR
21. Right to object
GDPR
18.1.4: Privacy and protection of personally identifiable information

Defining and documenting retention times for data sets

Critical
High
Normal
Low

Limiting the retention time is one of the principles of the processing of personal data. If the retention period of the data is not provided by law, when determining the retention periods, the following must be taken into account, for example:

  • the necessity of the data for its original processing purpose
  • implementation and verification of the interests, rights, obligations and legal protection of a natural or legal person
  • the legal effect of the contract or other legal action in civil matters
  • statutory limitation periods
  • criminal limitation periods

Describe your own process for evaluating retention periods.

5 luku, 21 §: Tietoaineistojen säilytystarpeen määrittäminen
5. Principles relating to processing of personal data
GDPR
18.1.3: Protection of records
ISO 27001
PR.IP-6: Data destruction
NIST CSF
A.7.4.2: Limit processing
ISO 27701

Executing and documenting data protection impact assessments

Critical
High
Normal
Low

The purpose of a data protection impact assessment is to help identify, assess and manage the risks involved in the processing of personal data. An impact assessment must be carried out when the processing of personal data is likely to pose a high risk to people's rights and freedoms. Risks are increased by, for example, the use of new technologies, the processing of sensitive personal data, the automation of personal characteristics or the scale of processing in general.

Task owner regularly evaluates organisation's processing of personal data, in particular, the databanks and related processing purposes and the data systems used, in order to determine the need for impact assessments. Task owner is also responsible for ensuring the identified impact assessments get conducted and documented.

35. Data protection impact assessment
GDPR
36. Prior consultation
GDPR
A.7.2.5: Privacy impact assessment
ISO 27701

Identifying and complying with additional requirements related to automated decision-making

Critical
High
Normal
Low

The organization should identify the statutory obligations concerning data subjects in relation to decisions concerning data subjects that are based on automated processing (e.g. notifying the data subject of automated decision-making) and ensure that these requirements are met in its own operations.

A.7.3.10: Automated decision making
ISO 27701

Processing of a child's personal data in connection with the provision of information society services based on consent

Critical
High
Normal
Low

If our organization provides information society services directly to a child, it is legal to process personal data on the basis of consent if the child is at least 16 years old.

If the child is under the age of 16, such processing is lawful only if and to the extent that the child's parent has given his or her consent or authorization.

Our organization has defined the relevant situations and the procedures to be applied to ensure that consent is obtained from the child's parents, if necessary.

8. Conditions applicable to child's consent in relation to information society services
GDPR

Processing of personal data related to criminal convictions and offenses

Critical
High
Normal
Low

We know whether the processing of personal data involves information related to criminal convictions and violations.

If we process personal data relating to criminal convictions and offenses, we carry out the processing either under the supervision of an authority or the processing must be permitted by Union law / Member State law where appropriate safeguards are in place to protect the data subject's rights and freedoms.

10. Processing of personal data relating to criminal convictions and offences
GDPR

Regular self-evaluation of the lawfulness of processing personal data

Critical
High
Normal
Low

GDPR defines six main legal bases for the lawful processing of personal data. In addition, more strict requirements apply to processing of special groups of personal data. The legal basis must also be communicated to the data subjects in privacy communication. However, not all legal bases adapt to all situations and the application of certain legal bases imposes additional requirements on the controller.

The Data Protection Officer (or other responsible person) helps to develop the lawfulness of the processing by assessing the legal bases for the different purposes in cooperation with the units carrying out the processing and on the basis of data protection communications.

6. Lawfulness of processing
GDPR
9. Processing of special categories of personal data
GDPR

Privacy-related codes of conduct and certification

Critical
High
Normal
Low

GDPR encourages the introduction of a number of general codes of conduct and certification mechanisms, data protection shields and marks, especially at the European Union level.

The idea behind all of these is to show that the processing is in line with good data processing and data protection requirements. The European Data Protection Council will gather all available certification mechanisms publicly available.

32. Security of processing
GDPR

Data privacy statement process

Critical
High
Normal
Low

A yearly privacy statement is a voluntary report drawn up by the organization that gives an overall picture of the current status of the organization's personal data processing. The report is intended as a management tool to increase stakeholder confidence that the organization adheres to a good regulatory approach to personal data processing.

No items found.