Training Module
Training Module

PII Processing Context, Roles & Scope

Understand PII processing context, controller/processor roles, and practical PIMS scope boundaries under ISO/IEC 27701:2025

Understand

Implement

Manage

Audit

Training module overview

ISO/IEC 27701:2025 enables a Privacy Information Management System (PIMS) to be established as a stand-alone management system, without requiring an ISMS. In practice, that flexibility increases—not reduces—the need for clarity: what counts as in-scope PII processing, which organisational roles apply (controller, processor, joint roles), and where responsibilities sit across internal units and external parties.

This module focuses on the front-end definition work that determines whether a PIMS becomes an operational management asset or a documentation exercise. It covers processing context, role determination, boundary-setting, and scope statements that reflect real operations and sourcing models. It does not teach general context/scoping methods (owned by System Foundations), privacy fundamentals, DPIA logic, or operational privacy controls and data subject rights execution; instead, it positions clear interfaces to those specialisations.

ISO/IEC 27701:2025 enables a Privacy Information Management System (PIMS) to be established as a stand-alone management system, without requiring an ISMS. In practice, that flexibility increases—not reduces—the need for clarity: what counts as in-scope PII processing, which organisational roles apply (controller, processor, joint roles), and where responsibilities sit across internal units and external parties.

This module focuses on the front-end definition work that determines whether a PIMS becomes an operational management asset or a documentation exercise. It covers processing context, role determination, boundary-setting, and scope statements that reflect real operations and sourcing models. It does not teach general context/scoping methods (owned by System Foundations), privacy fundamentals, DPIA logic, or operational privacy controls and data subject rights execution; instead, it positions clear interfaces to those specialisations.

Target audience

  • Privacy / data protection managers and PIMS implementers (controller and/or processor organisations)

  • Compliance, governance, and assurance professionals supporting privacy programmes

  • ISMS/IMS managers integrating PIMS with existing management systems

  • Auditors who need manager-side clarity on roles and scope

  • Privacy / data protection managers and PIMS implementers (controller and/or processor organisations)

  • Compliance, governance, and assurance professionals supporting privacy programmes

  • ISMS/IMS managers integrating PIMS with existing management systems

  • Auditors who need manager-side clarity on roles and scope

Agenda

Where ISO/IEC 27701:2025 starts and what this module covers

  • PIMS as a stand-alone MSS: what changes in scoping and accountability

  • Boundaries to adjacent modules: fundamentals, DPIA logic, operational controls & rights

Defining “PII processing context” in a way the organisation can maintain

  • Processing realities: services, products, channels, locations, and data flows (high-level)

  • Interfaces that drive complexity: sourcing, platforms, shared services, and group structures

Role determination: controller, processor, joint roles, and “who decides what”

  • Practical tests for “determines purposes/means” vs “acts on instructions”

  • Mixed-role scenarios: internal functions, platforms, partners, and marketplaces

Internal accountability model for privacy roles

  • Translating external role concepts into internal ownership (functions, decision rights, escalation)

  • Making responsibilities operational: what must be decided, by whom, and with what evidence

External parties and boundary-setting

  • Third parties in scope: suppliers, sub-processors, partners, affiliates, and customers

  • What belongs in scope vs managed as an interface (and how to document that choice)

PIMS scope statement and boundary artefacts

  • What a “useful” scope statement contains (and common failure modes)

  • Boundary artefacts: processing context map, role register, interface register, exclusions log

Keeping scope and roles current

  • Change triggers: new products, vendors, regions, data uses, incidents, complaints

  • Lightweight review cadence and ownership model (without overengineering)

Technology as an enabler

  • Using tools to keep processing context current (inventories, ticketing links, contract repositories)

  • AI-assisted summarisation for change signals (supporting judgement, not replacing it)

Workshop (case-based)

  • Build a defensible scope and role model for a multi-service organisation scenario

  • Review against typical pitfalls: hidden processing, ambiguous roles, unmanaged interfaces

Where ISO/IEC 27701:2025 starts and what this module covers

  • PIMS as a stand-alone MSS: what changes in scoping and accountability

  • Boundaries to adjacent modules: fundamentals, DPIA logic, operational controls & rights

Defining “PII processing context” in a way the organisation can maintain

  • Processing realities: services, products, channels, locations, and data flows (high-level)

  • Interfaces that drive complexity: sourcing, platforms, shared services, and group structures

Role determination: controller, processor, joint roles, and “who decides what”

  • Practical tests for “determines purposes/means” vs “acts on instructions”

  • Mixed-role scenarios: internal functions, platforms, partners, and marketplaces

Internal accountability model for privacy roles

  • Translating external role concepts into internal ownership (functions, decision rights, escalation)

  • Making responsibilities operational: what must be decided, by whom, and with what evidence

External parties and boundary-setting

  • Third parties in scope: suppliers, sub-processors, partners, affiliates, and customers

  • What belongs in scope vs managed as an interface (and how to document that choice)

PIMS scope statement and boundary artefacts

  • What a “useful” scope statement contains (and common failure modes)

  • Boundary artefacts: processing context map, role register, interface register, exclusions log

Keeping scope and roles current

  • Change triggers: new products, vendors, regions, data uses, incidents, complaints

  • Lightweight review cadence and ownership model (without overengineering)

Technology as an enabler

  • Using tools to keep processing context current (inventories, ticketing links, contract repositories)

  • AI-assisted summarisation for change signals (supporting judgement, not replacing it)

Workshop (case-based)

  • Build a defensible scope and role model for a multi-service organisation scenario

  • Review against typical pitfalls: hidden processing, ambiguous roles, unmanaged interfaces

Course ID:

HAM-PPCRS-1

Audience:

Manager

Auditor

Domain:

Data Protection

Available in:

English

Duration:

7 h

List price:

CHF 550

Excl. VAT. VAT may apply depending on customer location and status.

Book

Book

Book

Check in-house options

Check in-house options

Check in-house options

What you get

Learning outcomes

  • Describe what ISO/IEC 27701:2025 expects from a PIMS in terms of processing context, roles, and scope

  • Define a high-level PII processing context that is usable for governance and maintenance

  • Determine and justify controller/processor (and mixed) roles for common real-world scenarios

  • Translate external role concepts into an internal accountability model that supports decisions and escalation

  • Produce a clear, defensible PIMS scope statement with explicit boundaries, interfaces, and exclusions

  • Identify typical scoping and role pitfalls that cause downstream failures in controls, DPIAs, and rights handling

  • Set up a practical cadence and trigger logic to keep roles and scope current over time

  • Describe what ISO/IEC 27701:2025 expects from a PIMS in terms of processing context, roles, and scope

  • Define a high-level PII processing context that is usable for governance and maintenance

  • Determine and justify controller/processor (and mixed) roles for common real-world scenarios

  • Translate external role concepts into an internal accountability model that supports decisions and escalation

  • Produce a clear, defensible PIMS scope statement with explicit boundaries, interfaces, and exclusions

  • Identify typical scoping and role pitfalls that cause downstream failures in controls, DPIAs, and rights handling

  • Set up a practical cadence and trigger logic to keep roles and scope current over time

Learning materials

  • Slide deck

  • Participant workbook

  • Certificate of completion

  • Slide deck

  • Participant workbook

  • Certificate of completion

Templates & tools

  • PII Processing Context Canvas (services, channels, locations, systems, parties)

  • Role Determination Matrix (controller/processor/joint role decision notes)

  • PIMS Scope Statement Template (boundaries, interfaces, exclusions, assumptions)

  • Interface & Dependency Register (internal/external)

  • In-scope / Out-of-scope Decision Log (with rationale and review trigger)

  • Change Trigger Checklist for scope/role updates

  • Optional AI prompt set for summarising change signals and drafting update notes

  • PII Processing Context Canvas (services, channels, locations, systems, parties)

  • Role Determination Matrix (controller/processor/joint role decision notes)

  • PIMS Scope Statement Template (boundaries, interfaces, exclusions, assumptions)

  • Interface & Dependency Register (internal/external)

  • In-scope / Out-of-scope Decision Log (with rationale and review trigger)

  • Change Trigger Checklist for scope/role updates

  • Optional AI prompt set for summarising change signals and drafting update notes

Prerequisites

This module assumes participants can already work with basic privacy and data protection concepts, including:

  • What counts as PII/personal data in their operating context

  • Common processing lifecycle language (collect, use, share, retain, delete)

  • Basic awareness of regulatory drivers and contractual obligations (without needing legal expertise)

This module assumes participants can already work with basic privacy and data protection concepts, including:

  • What counts as PII/personal data in their operating context

  • Common processing lifecycle language (collect, use, share, retain, delete)

  • Basic awareness of regulatory drivers and contractual obligations (without needing legal expertise)

Strongly recommended preparatory modules

Privacy & Data Protection Fundamentals: Mapping the Data Protection Domain

A helicopter view of privacy roles, obligations, and mechanisms in organisations

7 h

Privacy & Data Protection Fundamentals: Mapping the Data Protection Domain

A helicopter view of privacy roles, obligations, and mechanisms in organisations

7 h

Privacy & Data Protection Fundamentals: Mapping the Data Protection Domain

A helicopter view of privacy roles, obligations, and mechanisms in organisations

7 h

Helpful preparatory modules

The modules below prepare for an optimal learning experience – but are not strictly necessary for participants to follow.

System Foundations: Context, Stakeholders, and System Boundaries

Understand organisational context, stakeholders, and system boundaries

7 h

System Foundations: Context, Stakeholders, and System Boundaries

Understand organisational context, stakeholders, and system boundaries

7 h

System Foundations: Context, Stakeholders, and System Boundaries

Understand organisational context, stakeholders, and system boundaries

7 h

Governance Foundations: Role Design, Decision Rights, and Escalation in Management Systems

Learn the fundamentals of role design, decision rights, governance mechanisms, and escalation paths in management systems

7 h

Governance Foundations: Role Design, Decision Rights, and Escalation in Management Systems

Learn the fundamentals of role design, decision rights, governance mechanisms, and escalation paths in management systems

7 h

Governance Foundations: Role Design, Decision Rights, and Escalation in Management Systems

Learn the fundamentals of role design, decision rights, governance mechanisms, and escalation paths in management systems

7 h

Continuous learning

Follow-up modules

Follow-up modules

After completion of this module, the following modules are ideal to further deepen the participant's competence.

After completion of this module, the following modules are ideal to further deepen the participant's competence.

View all modules

View all modules

HAM-PRIA-1

Privacy Risk & Impact Assessment (DPIA)

Privacy Risk & Impact Assessment (DPIA Logic) (ISO/IEC 27701:2025)

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-PRIA-1

Privacy Risk & Impact Assessment (DPIA)

Privacy Risk & Impact Assessment (DPIA Logic) (ISO/IEC 27701:2025)

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-PRIA-1

Privacy Risk & Impact Assessment (DPIA)

Privacy Risk & Impact Assessment (DPIA Logic) (ISO/IEC 27701:2025)

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-OPC-1

Operational Privacy Controls

Operational Privacy Controls & Data Subject Rights (ISO/IEC 27701:2025)

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-OPC-1

Operational Privacy Controls

Operational Privacy Controls & Data Subject Rights (ISO/IEC 27701:2025)

Domain

Text

Duration

7 h

List price

CHF 550

View module

HAM-OPC-1

Operational Privacy Controls

Operational Privacy Controls & Data Subject Rights (ISO/IEC 27701:2025)

Domain

Text

Duration

7 h

List price

CHF 550

View module

Office scene with people standing, walking and sitting

Ready to achieve mastery?

Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.

Contact us

Office scene with people standing, walking and sitting

Ready to achieve mastery?

Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.

Contact us

Office scene with people standing, walking and sitting

Ready to achieve mastery?

Bring ISO requirements into everyday practice to reduce avoidable issues and strengthen the trust of your customers and stakeholders.

Contact us