ISO 27701 privacy management prompt library

Determine ISO 27701 scope and our role as PII controller and/or processor:

Organization overview:
- Name and industry: [organization details]
- Personal data processed: [customer PII, employee data, vendor contacts, health data, financial data]
- Geographic scope: [countries/regions where we operate and where data subjects are located]
- Privacy regulations applicable: [GDPR, CCPA, LGPD, PIPEDA, APPI, etc.]

Role determination:

PII Controller:
- Do we determine purposes and means of PII processing? [Yes/No]
- Examples: [processing customer data for our services, employee HR data, marketing databases]
- Applicable ISO 27701 controls: Clauses 6.2-6.16 (controller requirements)

PII Processor:
- Do we process PII on behalf of others per their instructions? [Yes/No]
- Examples: [providing cloud hosting, data analytics services, payroll processing for clients]
- Applicable ISO 27701 controls: Clauses 7.2-7.5 (processor requirements)

Dual role:
- Many organizations are both controllers (for their own processing) and processors (for client data)
- Document each processing activity and the role for that activity

PIMS scope:
- Departments/functions in scope: [HR, marketing, sales, customer support, IT, product]
- PII processing activities in scope: [list key processing activities]
- Systems and applications: [CRM, HR systems, marketing automation, databases, cloud services]
- Exclusions: [any out-of-scope processing]

Create Records of Processing Activities (RoPA) per GDPR Article 30 mapping each activity to controller/processor role and ISO 27701 controls.

Integrate Privacy Information Management System with existing ISO 27001 ISMS:

ISO 27001 ISMS status:
- Certified: [Yes/No, certification body, certification date]
- Implemented but not certified: [maturity level]
- Not yet implemented: [ISO 27701 requires ISO 27001 foundation - implement ISMS first]

PIMS integration approach:

1. ISMS Context (Clause 4): Extend to include privacy
- Stakeholders: Add data subjects, privacy regulators (DPAs), data protection officer (DPO)
- Legal and regulatory requirements: Add GDPR, CCPA, other privacy laws
- Scope: Extend to cover PII processing activities

2. Leadership (Clause 5): Privacy governance
- Top management commitment to privacy
- Privacy policy integrated with information security policy
- Roles and responsibilities: Designate DPO or privacy officer, privacy champions
- Privacy in risk management and objectives

3. Planning (Clause 6): Privacy risk assessment
- Identify privacy risks (unauthorized disclosure, excessive collection, lack of consent, data subject rights violations)
- Privacy impact assessments (PIAs/DPIAs) for high-risk processing
- Privacy objectives and metrics

4. Support (Clause 7): Privacy awareness and competence
- Privacy training for all staff handling PII
- Specialized training for roles (DPO, developers, marketers)
- Data protection by design and default awareness

5. Operation (Clause 8): Privacy controls implementation
- Implement ISO 27701 Annex A (controller controls) and Annex B (processor controls)
- Privacy by design in new systems and processes
- Data subject rights procedures (access, erasure, portability, objection)
- Consent management, privacy notices
- Vendor management for processors

6. Performance Evaluation (Clause 9): Privacy monitoring
- Privacy metrics and KPIs (DSARs handled on time, consent rates, privacy incidents)
- Privacy audits (internal, external, DPA inspections)
- Management review including privacy performance

7. Improvement (Clause 10): Privacy incident management and improvement
- Personal data breach response and notification (72 hours to DPA, without undue delay to data subjects)
- Corrective actions from privacy audits and incidents
- Continuous privacy improvement

Create PIMS documentation structure extending existing ISMS documentation: Privacy policy addendum, privacy-specific procedures, privacy control mapping to ISO 27701 Annex A/B.

Develop privacy notices and transparency mechanisms per ISO 27701 controller requirements:

6.2 - Identify and document purpose:
- For each processing activity, document: purpose, legal basis, data collected, retention period, recipients

6.3 - Identify lawful basis (GDPR Article 6):
- Consent: [when we rely on consent]
- Contract: [processing necessary for contract performance]
- Legal obligation: [compliance with laws]
- Vital interests: [life or death situations]
- Public task: [public authority functions]
- Legitimate interests: [balancing test, legitimate interests assessment]

6.4 - Obtain and record consent (when applicable):
- Consent must be: freely given, specific, informed, unambiguous, demonstrable
- Consent mechanisms: [checkboxes, opt-in forms, consent management platforms]
- Consent records: who, when, what, how, withdrawal method
- Special category data consent (explicit consent for sensitive data: health, biometric, etc.)
- Children's data: Parental consent for under 13/16 (jurisdiction-dependent)

Privacy Notice requirements (transparency):
- Identity and contact details of controller
- Contact details of Data Protection Officer (if applicable)
- Purposes and legal basis for each purpose
- Categories of PII collected
- Recipients or categories of recipients (third parties, processors, international transfers)
- Retention periods or criteria
- Data subject rights (access, rectification, erasure, restriction, portability, objection, withdraw consent)
- Right to lodge complaint with supervisory authority
- Whether providing PII is contractual/statutory requirement or necessary for contract
- Automated decision-making including profiling (logic, significance, consequences)
- International transfers and safeguards (SCCs, adequacy decisions, BCRs)

Privacy notice formats:
- Layered approach: Short notice (key points) + full privacy policy (complete details)
- Just-in-time notices: Contextual privacy information at collection points
- Accessible formats: Plain language, translations, accessible for disabilities

Create privacy notice templates for:
- Website visitors and customers
- Employees and job applicants
- Vendors and business contacts
- Special categories (children, health data subjects, etc.)

Map to GDPR Articles 13-14, CCPA disclosure requirements, other applicable privacy laws.

Implement data subject rights fulfillment procedures per ISO 27701:

6.5 - Privacy by design and by default:
- Integrate privacy into system design and development lifecycle
- Default settings: Collect only necessary PII, limit processing to purpose, limit access, limit retention
- Privacy-enhancing technologies: Encryption, pseudonymization, anonymization

6.6 to 6.10 - Data subject rights procedures:

Right of Access (GDPR Article 15):
- Request method: [online portal, email, written request]
- Identity verification (prevent unauthorized disclosure)
- Response timeline: 1 month (extendable by 2 months if complex)
- Information to provide: Copy of PII, processing purposes, categories, recipients, retention, rights, automated decisions
- Format: Structured, commonly used, machine-readable (e.g., JSON, CSV)

Right to Rectification (GDPR Article 16):
- Procedure to correct inaccurate or incomplete PII
- Notification to recipients if PII was disclosed
- Timeline: 1 month

Right to Erasure / Right to be Forgotten (GDPR Article 17):
- Grounds for erasure: No longer necessary, consent withdrawn, objection, unlawful processing, legal obligation
- Exceptions: Legal claims, freedom of expression, legal obligations, public interest
- Technical procedures: Data deletion, backup erasure (or flagging for deletion when restored)
- Notification to recipients and search engines (if publicly disclosed)

Right to Restriction of Processing (GDPR Article 18):
- Grounds: Accuracy contested, unlawful processing, no longer needed but subject needs for legal claims, objection pending
- Mark PII as restricted, limit processing to storage only (except with consent or legal claims)

Right to Data Portability (GDPR Article 20):
- Scope: Automated processing based on consent or contract
- Provide PII in structured, machine-readable format
- Transmit directly to another controller if technically feasible

Right to Object (GDPR Article 21):
- Grounds: Processing based on legitimate interests or public interest
- Stop processing unless compelling legitimate grounds override
- Direct marketing: Absolute right to object, no balancing test
- Automated decision-making opt-out

Right not to be subject to Automated Decision-Making including Profiling (GDPR Article 22):
- Prohibition on fully automated decisions with legal/significant effects (unless consent, contract, or law)
- Human review mechanism for automated decisions
- Explanation of logic, significance, and consequences

Data Subject Rights Infrastructure:
- Request intake: [web form, email address, phone line]
- Request tracking system: [ticketing system, DSAR platform]
- Identity verification process
- Response templates by right type
- Escalation for complex requests
- Metrics: Request volume, type, response time, fulfillment rate

Create DSAR procedures, request forms, response templates, and training materials for teams handling requests.

Manage PII lifecycle per ISO 27701 controller requirements:

6.11 - Limit collection:
- Data minimization: Collect only PII necessary for specified purpose
- Purpose limitation: Process only for original purpose (or compatible purpose)
- Collection limitation assessment for each processing activity

6.12 - Accuracy and quality:
- Processes to ensure PII is accurate, complete, up-to-date
- Periodic review and validation (e.g., annual email confirmation, customer profile reviews)
- Rectification upon request or error detection
- Deletion or restriction of inaccurate data

6.13 - PII retention and disposal:
- Retention schedule: Specify retention period for each PII category and purpose
- Retention justification: Legal requirements, business needs, consent duration
- Automated deletion or anonymization at end of retention
- Secure disposal methods: [deletion, wiping, anonymization, destruction]
- Backup retention aligned with retention policy

Example retention schedule:
- Customer account data: Retained while account active + [X years] for legal/warranty obligations
- Marketing consents: Until consent withdrawn or [X years] of inactivity
- Employee data: Duration of employment + [X years] for legal obligations (tax, labor law)
- CCTV footage: [30 days] unless incident investigation

6.14 - PII de-identification, pseudonymization, anonymization:
- Pseudonymization: Replace identifying fields with pseudonyms, retain ability to re-identify with key
- Anonymization: Irreversibly de-identify, no re-identification possible (falls outside GDPR scope)
- Use cases: Analytics, testing environments, research, public disclosure
- Techniques: Hashing, tokenization, generalization, data masking

6.15 - Temporary files management:
- Temporary files, caches, logs containing PII
- Retention limits and deletion for temp files
- Secure deletion from temporary storage

6.16 - Disposal:
- Secure disposal at end of retention or upon erasure request
- Methods: Secure deletion, degaussing, shredding, overwriting
- Disposal verification and records
- Disposal of PII on decommissioned systems and media

Create data retention policy, disposal procedures, and disposal records for audit trail.

Implement PII processor controls per ISO 27701:

7.2 - Processing in accordance with customer (controller) instructions:
- Process PII only on documented instructions from customer
- Instructions documented in contract/data processing agreement (DPA)
- Alert customer if instruction violates privacy laws (legal assessment)
- Do not process for own purposes (unless legal requirement or with customer consent)

7.3 - Security of PII processing:
- Implement security measures per ISO 27001/27002
- Additional processor-specific security: Encryption, pseudonymization, access controls, audit logs
- Security obligations in contracts
- Customer audit rights and information provision
- Notify customer of personal data breaches without undue delay

7.4 - Engagement of sub-processors:
- Obtain customer authorization for sub-processors (specific or general authorization)
- Customer notification and objection opportunity for new sub-processors
- Impose same data protection obligations on sub-processors (flow-down clauses)
- Processor remains liable for sub-processor compliance
- Sub-processor register and management

7.5 - Assistance to customer (controller):
- Assist customer in responding to data subject rights requests (access, erasure, etc.)
- Assist in security incident response and breach notification
- Assist with Data Protection Impact Assessments (DPIAs) for customer
- Provide information for customer's compliance activities
- Return or delete PII at end of contract (customer choice)
- Demonstrate compliance via audits, certifications, attestations

Processor-specific documentation:
- Data Processing Agreement (DPA) template with GDPR-compliant clauses
- Sub-processor list and approval process
- Instructions register (log of customer instructions received and executed)
- DSAR assistance procedure (how we help customer fulfill data subject requests)
- Breach notification procedure to customers
- PII return/deletion procedure at contract termination

Create processor compliance framework: DPA templates, sub-processor management, customer assistance procedures, audit support materials.

Implement compliant international PII transfer mechanisms per ISO 27701:

Our international data transfers:
- PII types transferred: [customer data, employee data, etc.]
- Countries of transfer from: [EEA, UK, US, etc.]
- Countries of transfer to: [US, India, Philippines, etc.]
- Transfer purposes: [cloud hosting, support services, development, analytics]
- Transfer methods: [cloud storage, APIs, email, file transfers]

GDPR Chapter V Transfer Mechanisms:

1. Adequacy Decisions (GDPR Article 45):
- Transfers to countries with adequacy decision are unrestricted: [UK, Switzerland, Japan, Canada (commercial), Israel, etc.]
- Transfers to US: Data Privacy Framework (DPF) for certified US companies
- Verify recipient is in adequate country or DPF-certified

2. Standard Contractual Clauses (SCCs) (GDPR Article 46):
- EU Commission-approved SCCs (2021 SCCs for controllers/processors)
- Execute appropriate SCC module: C2C (controller to controller), C2P (controller to processor), P2P (processor to processor), P2C (processor to controller)
- Transfer Impact Assessment (TIA): Assess destination country laws, government access risks, supplementary measures needed
- Supplementary measures if country laws undermine SCCs: Encryption, pseudonymization, data minimization, legal challenges

3. Binding Corporate Rules (BCRs) (GDPR Article 47):
- Internal binding policies for multinational groups transferring PII within group
- Require DPA authorization (lengthy approval process)
- Alternative to SCCs for large organizations with frequent intra-group transfers

4. Derogations for specific situations (GDPR Article 49):
- Explicit consent for occasional transfers (not for systematic transfers)
- Contract necessity, legal claims, vital interests, public interest
- Use sparingly, not for regular business transfers

Implementation:
- Inventory all international transfers (data mapping)
- Classify by transfer mechanism (adequacy, SCCs, derogations)
- Execute SCCs with all non-adequate country recipients
- Conduct Transfer Impact Assessments for high-risk destinations
- Implement supplementary measures (encryption in transit and at rest, access controls)
- Monitor changes in adequacy decisions and court rulings (Schrems II implications)

Create international transfer register, SCC repository, TIA documentation, and supplementary measures implementation plan.

Address CCPA, LGPD, APPI, and other jurisdictions' cross-border transfer requirements if applicable.

Develop personal data breach response per GDPR Articles 33-34 and ISO 27701:

Personal Data Breach Definition (GDPR):
- Breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to PII

Breach types:
- Confidentiality breach: Unauthorized access or disclosure
- Integrity breach: Unauthorized alteration or data corruption
- Availability breach: Loss of access or data destruction

Breach response procedure:

1. Detection and initial assessment:
- Breach detection sources: Security monitoring, employee reports, third-party notification, data subject complaints
- Initial triage: Is it a personal data breach? What PII is affected? How many data subjects?
- Containment: Stop ongoing breach, prevent further exposure

2. Breach assessment and decision:
- Risk to data subjects: Likelihood and severity of harm (identity theft, financial loss, discrimination, reputation damage, physical harm)
- Risk factors: Sensitivity of data (special category data = higher risk), volume, identifiability, ease of identification, consequences for data subjects, vulnerable data subjects (children)
- Notification decision: 
  - Notify DPA if risk to rights and freedoms (GDPR Article 33) → Within 72 hours of awareness
  - Notify data subjects if high risk (GDPR Article 34) → Without undue delay
  - Document decision (including if not notifying, document why)

3. DPA notification (within 72 hours) - GDPR Article 33:
- Breach description: Nature, categories of data subjects and records, approximate numbers
- Contact point: DPO or contact person
- Likely consequences of breach
- Measures taken or proposed to address breach and mitigate harm

If notification >72 hours, explain reasons for delay. Phased notification allowed if full info not available initially.

4. Data subject notification (if high risk) - GDPR Article 34:
- Clear and plain language description of breach
- Contact point for more information
- Likely consequences
- Measures taken or proposed to mitigate harm

Exceptions to data subject notification:
- Appropriate technical/organizational protection measures applied (e.g., encryption rendered data unintelligible)
- Subsequent measures eliminate high risk
- Disproportionate effort (public communication instead)

5. Investigation and remediation:
- Root cause analysis (how did breach occur?)
- Remediation actions (patch vulnerabilities, improve controls, revoke access)
- Evidence preservation (forensics, logs)
- Legal and regulatory considerations (other breach notification laws: state breach notification laws in US, etc.)

6. Documentation:
- Breach register: Date, facts, effects, remedial action (GDPR Article 33(5))
- Notification records: What was reported, when, to whom
- Internal investigation report
- DPA correspondence

7. Post-breach review:
- Lessons learned
- Controls improvement
- Policy and procedure updates
- Training based on breach causes

Create breach response plan, notification templates (DPA and data subjects), breach register, and training materials.

Integrate with ISO 27001 incident management, ensure coordination between security and privacy teams.

Conduct Data Protection Impact Assessments per GDPR Article 35 and ISO 27701:

DPIA Triggers (when required):
- Systematic and extensive profiling with significant effects
- Large-scale processing of special category data (health, biometric, etc.) or criminal convictions
- Systematic monitoring of publicly accessible areas at large scale (e.g., CCTV)
- New technologies with high privacy risk
- Processing prevents data subjects from exercising rights or using services
- Multiple GDPR Article 35(3) criteria combined

DPIA not required but recommended for:
- Any new processing with privacy risk
- Significant changes to existing processing

DPIA Process:

1. Scope and describe processing:
- Processing activity description (systematic, purpose, context, nature, scope, volume)
- Data flows and lifecycle (collection, use, storage, sharing, retention, deletion)
- PII categories and data subjects
- Technologies and systems involved
- Processors and third parties
- Cross-border transfers

2. Necessity and proportionality assessment:
- Is processing necessary for the purpose? (Data minimization)
- Is purpose legitimate and specific?
- Are there less intrusive alternatives?
- Proportionality: Benefits vs. privacy impact

3. Risk identification:
- Risks to data subjects (not risks to organization): Discrimination, identity theft, financial loss, reputation damage, loss of confidentiality, physical harm, loss of control over PII
- Severity of impact if risk materializes (minimal, limited, significant, severe)
- Likelihood of risk (negligible, possible, probable, certain)

4. Risk mitigation measures:
- Technical measures: Encryption, pseudonymization, anonymization, access controls, monitoring
- Organizational measures: Policies, training, DPO oversight, vendor management, data retention limits
- Data subject safeguards: Transparency, consent, rights mechanisms, human review of automated decisions
- Residual risk after mitigation

5. Stakeholder consultation:
- Consult Data Protection Officer (mandatory if DPO designated)
- Consult data subjects or their representatives (where appropriate)
- Document views obtained and how addressed

6. DPA consultation (if high residual risk):
- If residual risk remains high despite mitigation, consult supervisory authority (DPA) before processing
- DPA provides advice on mitigation or prohibits processing

7. DPIA outcomes and decisions:
- Decision: Proceed with processing, proceed with additional safeguards, or do not proceed
- Approval and sign-off (management, DPO)
- Ongoing review triggers (annual, change in processing, incident)

DPIA documentation:
- Systematic description of processing and purposes
- Assessment of necessity and proportionality
- Assessment of risks to data subjects
- Measures to address risks and demonstrate compliance
- Stakeholder consultation records
- DPO opinion
- Management approval

Create DPIA template, risk assessment methodology, and DPIA register tracking all assessments and review dates.

Integrate DPIA into project lifecycle: Trigger DPIA during planning phase for new systems/processing, not after implementation.