Free ebook: NIS2 ready using ISO 27001 best practices
Download ebook

Documentation of personal data processing purposes for data stores

Critical
High
Normal
Low

Processing of personal data is only lawful if one of the legal bases set out in the General Data Protection Regulation is met. The organization must be able to communicate the purpose of the processing and the legal basis to the data subject and, where appropriate, to the supervisory authority.

The documentation shall include at least:

  • the legal basis for the processing and the necessary additional information
  • the parties to whom the processing has been outsourced
  • related data sets
Connected other frameworks and requirements:
6. Lawfulness of processing
GDPR
18.1.4: Privacy and protection of personally identifiable information
30. Records of processing activities
GDPR
A.7.2.2: Identify lawful basis
ISO 27701
A.7.2.8: Records related to processing PII
ISO 27701

Appointment, tasks and position of a Data Protection Officer (DPO)

Critical
High
Normal
Low

Our organization has determined whether a data protection officer should be appointed and, if so, made an appointment.

The Data Protection Officer shall be appointed if:

  • the organization handles sensitive information on a large scale
  • the organization monitors people on an extensive, regular, and systematic basis
  • the organization is a public administration actor

In addition to the appointment, it is essential to regularly assess whether the Data Protection Officer is acting in the role and performing the tasks required by the Data Protection Regulation.

Connected other frameworks and requirements:
38. Position of the data protection officer
GDPR
39. Tasks of the data protection officer
GDPR
37. Designation of the data protection officer
GDPR
18.1.4: Privacy and protection of personally identifiable information
5.34: Privacy and protection of PII
ISO 27001

Privacy notices -report publishing and maintenance

Critical
High
Normal
Low

With regard to the processing of personal data, the data subject must be provided with the information specified in the GDPR in a concise, comprehensible and easily accessible form. This is often done in the form of privacy statements, which are published, for example, on the organisation's website.

Where personal data have not been collected from the data subject himself, the descriptions shall state, in addition to the basic content:

  • where the data were obtained
  • which categories of personal data are covered
Connected other frameworks and requirements:
14. Information to be provided where personal data have not been obtained from the data subject
GDPR
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
13. Information to be provided where personal data are collected from the data subject
GDPR
18.1.4: Privacy and protection of personally identifiable information
A.12.1: Geographical location of PII
ISO 27018

Personnel guidelines for safe processing of personal and confidential data

Critical
High
Normal
Low

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

Connected other frameworks and requirements:
29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO 27001
18.1.4: Privacy and protection of personally identifiable information
12.1.1: Documented operating procedures
ISO 27001
11.2.8: Unattended user equipment
ISO 27001

Management and documentation of data breaches

Critical
High
Normal
Low

The organization must document all personal data breaches and their consequences and the corrective actions taken, regardless of the action ultimately resulting from the breach.

Failure to comply with the documentation obligation or notification is contrary to GDPR and may lead to sanctions defined on the regulation.

Connected other frameworks and requirements:
18.1.4: Privacy and protection of personally identifiable information
5.34: Privacy and protection of PII
ISO 27001

Notification of the Data Protection Officer

Critical
High
Normal
Low

The organization shall publish the contact details of the data protection officer (e.g. on the organisation's website) and inform the supervisory authority.

Connected other frameworks and requirements:
37. Designation of the data protection officer
GDPR
6.1.1: Information security roles and responsibilities
ISO 27001
18.1.4: Privacy and protection of personally identifiable information
18.2.2: Compliance with security policies and standards
ISO 27001

Implementation and documentation of balance tests

Critical
High
Normal
Low

One of the legal grounds for lawful processing of personal data is the implementation of the data controller or a third party's legitimate interests. To determine when a legitimate interest is justified, a so-called balance test is done to weigh controller or a third party interest against the basic rights of the data subject.

When our processing based on a legitimate interest, we document the implementation of the balancing test and its results so that, if necessary, we can demonstrate that our operations comply with GDPR.

Connected other frameworks and requirements:
6. Lawfulness of processing
GDPR
21. Right to object
GDPR
18.1.4: Privacy and protection of personally identifiable information

Process for receiving and handling data subject requests

Critical
High
Normal
Low

Whenever we process personal data, the data subject has certain rights, e.g. gain access to their data and, in certain situations, oppose processing or have their data deleted.

We have planned procedures for handling data subject requests, which may include e.g.:

  • the ways in which the data subject may make a request for information
  • methods to verify the identity of the sender
  • the persons to whom requests for information are forwarded in relation to each register
Connected other frameworks and requirements:
15. Right of access by the data subject
GDPR
16. Right to rectification
GDPR
18. Right to restriction of processing
GDPR
19. Notification obligation regarding rectification or erasure of personal data or restriction of processing
GDPR
21. Right to object
GDPR

Ensuring the timeliness of privacy communication

Critical
High
Normal
Low

The purposes of the processing of personal data will change as the business develops. Privacy communications should stay up-to-date and reflect the actual state of processing.

We regularly make sure that all processing purposes are mentioned in communications (e.g. privacy statements), that the processing is accurately described, and that communications are provided to data subjects within the required time limits.

Connected other frameworks and requirements:
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
GDPR
18.1.4: Privacy and protection of personally identifiable information
18.2.2: Compliance with security policies and standards
ISO 27001
A.7.3.2: Determining information for PII principals
ISO 27701
No items found.