Training Module
PII Processing: Context, Roles & Scope
Define PII processing context, determine controller and processor roles, and set practical PIMS scope boundaries under ISO/IEC 27701
Training module overview
A Privacy Information Management System only works if its foundations are defined with precision. Organisations must be clear about what constitutes PII processing in their environment, which roles apply, and where system boundaries sit across internal units and external parties.
This module focuses on the architectural front end of a PIMS: defining processing context in a maintainable way, determining controller and processor roles including joint arrangements, establishing internal accountability models, and formalising scope statements and boundary artefacts that reflect real operations and sourcing structures. The emphasis is on governance clarity that enables consistent decision-making, auditability, and long-term maintainability.
Applicable environments
This module applies to organisations implementing or operating a Privacy Information Management System (PIMS) in line with ISO/IEC 27701. It focuses on how the standard’s requirements are interpreted and applied in practice within real organisational contexts.
The content is relevant for organisations seeking certification as well as for those using ISO/IEC 27701 as a reference framework to structure responsibilities, processes, and controls in the data protection domain.
Target audience
People involved in implementing, operating, or improving a PIMS aligned with ISO/IEC 27701
Executives and department heads accountable for the effectiveness and performance of a PIMS
Those responsible for processes, policies, IT systems, risks, and controls related to data protection
Auditors of ISO/IEC 27701 who want to deepen their understanding of management-side best practices (not audit technique)
Decision support
Is this module for you?
It is a good fit if you…
need clarity on what counts as PII processing in practice.
want clean controller and processor role separation.
need defensible scope boundaries for a PIMS.
work across internal units or external parties.
support ISO/IEC 27701 implementation or oversight.
If most of the points above apply, this module is likely a good fit.
It may not be the best fit if you…
are looking for legal interpretation of privacy laws.
want execution guidance for DPIAs or data subject rights.
need detailed operational privacy controls.
already operate a stable, well-defined PIMS scope and role model.
Agenda
Defining PII processing context in a way the organisation can maintain
Determining the organization's role: controller, processor, joint roles
Internal accountability model for privacy roles
External parties and boundary-setting
PIMS scope statement and boundary artefacts
Keeping scope and roles up to date
Technology as an enabler
Case-based workshop
Show detailed agenda...
Learning outcomes
Key outcomes
Describe ISO/IEC 27701 expectations for processing context, roles and scope in a PIMS
Define a high-level PII processing context that is usable for governance and maintenance
Determine and justify controller and processor roles for real-world scenarios
Additional capabilities
Translate external role concepts into an internal accountability model that supports decisions and escalation
Produce a clear PIMS scope statement with boundaries, interfaces and exclusions
Identify typical scoping and role pitfalls and set up practical review triggers to keep roles and scope current
Additional benefits
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
PII processing context canvas
Role determination matrix
PIMS scope statement template
Interface & dependency register
In-scope / out-of-scope decision log
Change trigger checklist for scope/role updates
Confirmation
Certificate of completion
Module ID
HAM-DP-S-01
Discipline
ISO clause
4: Context of the organisation
Domains
Audience
Manager
Languages
English
Delivery
Live virtual
Duration
7 h
List price
CHF 550
Excl. VAT. VAT may apply depending on customer location and status.
Delivery & learning format
Virtual live teaching
This module is delivered live, with a strong focus on discussion, practical application, and direct interaction with the instructor.
Sessions work through realistic examples, clarify concepts in context, and apply methods directly to participants’ organisational realities.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
For an optimal learning experience
Preparation guidance
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes participants can already work with basic privacy and data protection concepts, including:
What counts as PII/personal data in their operating context
Common processing lifecycle language (collect, use, share, retain, delete)
Basic awareness of regulatory drivers and contractual obligations
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
