Training Module

PII Processing Context, Roles & Scope

Understand PII processing context, controller/processor roles, and practical PIMS scope boundaries under ISO/IEC 27701

Training Module

PII Processing Context, Roles & Scope

Understand PII processing context, controller/processor roles, and practical PIMS scope boundaries under ISO/IEC 27701

Training Module

PII Processing Context, Roles & Scope

Understand PII processing context, controller/processor roles, and practical PIMS scope boundaries under ISO/IEC 27701

Modern office building at night with illuminated workspaces, symbolising PII processing context, controller and processor roles, and clearly defined scope boundaries for privacy governance under ISO/IEC 27701.

Who decides what in your PII processing — and where does your PIMS actually begin and end?

Define processing context, determine controller and processor roles, and establish defensible PIMS scope boundaries that reflect real operations.

Modern office building at night with illuminated workspaces, symbolising PII processing context, controller and processor roles, and clearly defined scope boundaries for privacy governance under ISO/IEC 27701.

Who decides what in your PII processing — and where does your PIMS actually begin and end?

Define processing context, determine controller and processor roles, and establish defensible PIMS scope boundaries that reflect real operations.

Modern office building at night with illuminated workspaces, symbolising PII processing context, controller and processor roles, and clearly defined scope boundaries for privacy governance under ISO/IEC 27701.

Who decides what in your PII processing — and where does your PIMS actually begin and end?

Define processing context, determine controller and processor roles, and establish defensible PIMS scope boundaries that reflect real operations.

Is this for you?
Is this for you?

Is this for you?

Agenda
Agenda

Agenda

Learning outcomes
Learning outcomes

Learning outcomes

Additional benefits
Additional benefits

Additional benefits

Delivery
Delivery

Delivery

Preparation
Preparation

Preparation

Training module overview

Training module overview

Training module overview

Understand

Understand

Understand

Implement

Implement

Implement

Manage

Manage

Manage

Audit

Audit

Audit

A Privacy Information Management System only works if its foundations are defined with precision. Organisations must be clear about what constitutes PII processing in their environment, which roles apply, and where system boundaries sit across internal units and external parties.

This module focuses on the architectural front end of a PIMS: defining processing context in a maintainable way, determining controller and processor roles including joint arrangements, establishing internal accountability models, and formalising scope statements and boundary artefacts that reflect real operations and sourcing structures. The emphasis is on governance clarity that enables consistent decision-making, auditability, and long-term maintainability.

A Privacy Information Management System only works if its foundations are defined with precision. Organisations must be clear about what constitutes PII processing in their environment, which roles apply, and where system boundaries sit across internal units and external parties.

This module focuses on the architectural front end of a PIMS: defining processing context in a maintainable way, determining controller and processor roles including joint arrangements, establishing internal accountability models, and formalising scope statements and boundary artefacts that reflect real operations and sourcing structures. The emphasis is on governance clarity that enables consistent decision-making, auditability, and long-term maintainability.

Applicable environments

This module applies to organisations implementing or operating a Privacy Information Management System (PIMS) in line with ISO/IEC 27701. It focuses on how the standard’s requirements are interpreted and applied in practice within real organisational contexts.

The content is relevant for organisations seeking certification as well as for those using ISO/IEC 27701 as a reference framework to structure responsibilities, processes, and controls in the data protection domain.

Target audience

Target audience

Target audience

  • People involved in implementing, operating, or improving a PIMS aligned with ISO/IEC 27701

  • Executives and department heads accountable for the effectiveness and performance of a PIMS

  • Those responsible for processes, policies, IT systems, risks, and controls related to data protection

  • Auditors of ISO/IEC 27701 who want to deepen their understanding of management-side best practices (not audit technique)

  • People involved in implementing, operating, or improving a PIMS aligned with ISO/IEC 27701

  • Executives and department heads accountable for the effectiveness and performance of a PIMS

  • Those responsible for processes, policies, IT systems, risks, and controls related to data protection

  • Auditors of ISO/IEC 27701 who want to deepen their understanding of management-side best practices (not audit technique)

Decision support

Is this module for you?

It is a good fit if you…

  • need clarity on what counts as PII processing in practice.

  • want clean controller and processor role separation.

  • need defensible scope boundaries for a PIMS.

  • work across internal units or external parties.

  • support ISO/IEC 27701 implementation or oversight.

  • need clarity on what counts as PII processing in practice.

  • want clean controller and processor role separation.

  • need defensible scope boundaries for a PIMS.

  • work across internal units or external parties.

  • support ISO/IEC 27701 implementation or oversight.

If most of the points above apply, this module is likely a good fit.

It may not be the best fit if you…

  • are looking for legal interpretation of privacy laws.

  • want execution guidance for DPIAs or data subject rights.

  • need detailed operational privacy controls.

  • already operate a stable, well-defined PIMS scope and role model.

  • are looking for legal interpretation of privacy laws.

  • want execution guidance for DPIAs or data subject rights.

  • need detailed operational privacy controls.

  • already operate a stable, well-defined PIMS scope and role model.

Agenda

Agenda

Agenda

  • Defining PII processing context in a way the organisation can maintain

  • Determining the organisation's role: controller, processor, and joint roles

  • Internal accountability model for privacy roles

  • External parties and boundary-setting

  • PIMS scope statement and boundary artefacts

  • Keeping scope and roles up to date

  • Technology as an enabler

  • Case-based workshop

Show detailed agenda...

  • Defining PII processing context in a way the organisation can maintain

  • Determining the organisation's role: controller, processor, and joint roles

  • Internal accountability model for privacy roles

  • External parties and boundary-setting

  • PIMS scope statement and boundary artefacts

  • Keeping scope and roles up to date

  • Technology as an enabler

  • Case-based workshop

Show detailed agenda...

  • Defining PII processing context in a way the organisation can maintain

  • Determining the organisation's role: controller, processor, and joint roles

  • Internal accountability model for privacy roles

  • External parties and boundary-setting

  • PIMS scope statement and boundary artefacts

  • Keeping scope and roles up to date

  • Technology as an enabler

  • Case-based workshop

Show detailed agenda...

Learning outcomes

Learning outcomes

Learning outcomes

Key outcomes

  • Describe ISO/IEC 27701 expectations for processing context, roles and scope in a PIMS

  • Define a high‑level PII processing context that is usable for governance and maintenance

  • Determine and justify controller and processor roles for real‑world scenarios

  • Describe ISO/IEC 27701 expectations for processing context, roles and scope in a PIMS

  • Define a high‑level PII processing context that is usable for governance and maintenance

  • Determine and justify controller and processor roles for real‑world scenarios

Additional capabilities

  • Translate external role concepts into an internal accountability model that supports decisions and escalation

  • Produce a clear PIMS scope statement with boundaries, interfaces and exclusions

  • Identify typical scoping and role pitfalls and set up practical review triggers to keep roles and scope current

  • Translate external role concepts into an internal accountability model that supports decisions and escalation

  • Produce a clear PIMS scope statement with boundaries, interfaces and exclusions

  • Identify typical scoping and role pitfalls and set up practical review triggers to keep roles and scope current

Additional benefits

Additional benefits

Additional benefits

Learning materials

  • Slide deck

  • Participant workbook

Templates & tools

Practical, reusable artefacts to apply the module directly to your organisation.

  • PII processing context canvas

  • Role determination matrix

  • PIMS scope statement template

  • Interface & dependency register

  • In-scope / out-of-scope decision log

  • Change trigger checklist for scope/role updates

  • PII processing context canvas

  • Role determination matrix

  • PIMS scope statement template

  • Interface & dependency register

  • In-scope / out-of-scope decision log

  • Change trigger checklist for scope/role updates

Confirmation

  • Certificate of completion

Module ID

HAM-DP-S-01

Domain

ISO/IEC 27701

Audience

Manager

Auditor

Language

English

Delivery

Live virtual

Duration

7 h

List price

CHF 550

Excl. VAT. VAT may apply depending on customer location and status.

Book

Book

Book

Bespoke options

Bespoke options

Bespoke options

Delivery & learning format

Delivery & learning format

Delivery & learning format

Virtual live teaching

This module is delivered live, with a strong focus on discussion, practical application, and direct interaction with the instructor.

Sessions work through realistic examples, clarify concepts in context, and apply methods directly to participants’ organisational realities.

Custom delivery options

For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.

See options
See options

See options

Not sure if this module is right for you?

Not sure if this module is right for you?

Not sure if this module is right for you?

Send a short message and describe your context.

Clarify fit

Clarify fit

Clarify fit

For an optimal learning experience

Preparation guidance

This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.

For an optimal learning experience

Preparation guidance

This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.

For an optimal learning experience

Preparation guidance

This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.

Assumed background

This module assumes participants can already work with basic privacy and data protection concepts, including:

  • What counts as PII/personal data in their operating context

  • Common processing lifecycle language (collect, use, share, retain, delete)

  • Basic awareness of regulatory drivers and contractual obligations

This module assumes participants can already work with basic privacy and data protection concepts, including:

  • What counts as PII/personal data in their operating context

  • Common processing lifecycle language (collect, use, share, retain, delete)

  • Basic awareness of regulatory drivers and contractual obligations

Preparatory modules

Foundational modules (depending on background)

Useful if you are new to the underlying concepts or want a shared baseline before attending this module.

Data Protection Fundamentals

A helicopter view of privacy roles, obligations, and mechanisms in organisations

7 h

Data Protection Fundamentals

A helicopter view of privacy roles, obligations, and mechanisms in organisations

7 h

Data Protection Fundamentals

A helicopter view of privacy roles, obligations, and mechanisms in organisations

7 h

Supporting modules (optional)

Helpful if you want to deepen related skills, but not required to participate effectively.

System Foundations

Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems

7 h

System Foundations

Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems

7 h

System Foundations

Understand organisational context, stakeholders, and system boundaries to build and operate effective management systems

7 h

Continuous learning

Follow-up modules

Continuous learning

Follow-up modules

Continuous learning

Follow-up modules

After completion of this module, the following modules are ideal to further deepen your competence. If you are looking for a structured learning path, modules can also be taken as part of a professional track.

View all modules

View all modules

View all modules

View tracks

View tracks

View tracks

Privacy Risk & Impact Assessment (DPIA)

Understand privacy risk assessment, impact reasoning, and DPIA documentation within an ISO/IEC 27701-aligned PIMS

Duration

7 h

List price

CHF 550

View module

Privacy Risk & Impact Assessment (DPIA)

Understand privacy risk assessment, impact reasoning, and DPIA documentation within an ISO/IEC 27701-aligned PIMS

Duration

7 h

List price

CHF 550

View module

Privacy Risk & Impact Assessment (DPIA)

Understand privacy risk assessment, impact reasoning, and DPIA documentation within an ISO/IEC 27701-aligned PIMS

Duration

7 h

List price

CHF 550

View module

Operational Privacy Controls

Understand role-based operational privacy controls and data subject rights handling within an ISO/IEC 27701-aligned PIMS

Duration

7 h

List price

CHF 550

View module

Operational Privacy Controls

Understand role-based operational privacy controls and data subject rights handling within an ISO/IEC 27701-aligned PIMS

Duration

7 h

List price

CHF 550

View module

Operational Privacy Controls

Understand role-based operational privacy controls and data subject rights handling within an ISO/IEC 27701-aligned PIMS

Duration

7 h

List price

CHF 550

View module

Office scene with people standing, walking and sitting

Ready to improve your management systems?

We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.

Contact us

Office scene with people standing, walking and sitting

Ready to improve your management systems?

We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.

Contact us

Office scene with people standing, walking and sitting

Ready to improve your management systems?

We support continuous improvement by embedding ISO requirements into everyday practice and daily operations.

Contact us

Explore the Halderstone Academy

Explore the Halderstone Academy

Explore the Halderstone Academy