# ISO 27701 PII Processing Inventory

> Build the PII processing inventory (Record of Processing Activities / ROPA) and data flow map for ISO 27701. Catalogs every processing activity with purpose, legal basis, data categories, PII principals, recipients, retention periods, and cross-border transfers. Produces a data flow map showing PII flows between systems, parties, and jurisdictions.



Tags: ISO 27701, Privacy, PII, ROPA, Data Inventory, Compliance


## Example Prompts

- Build our PII processing inventory
- Create a Record of Processing Activities
- Map our data flows for privacy compliance

URL: https://rakenne.app/skills/iso27701-pii-inventory/index.md

Try this skill: https://rakenne.app/a/?skill=iso27701-pii-inventory



## Overview

Build the PII processing inventory (Record of Processing Activities / ROPA) and data flow map for ISO 27701. This skill catalogs every processing activity with purpose, legal basis, data categories, PII principals, recipients, retention periods, and cross-border transfers. It also produces a data flow map showing how PII moves between systems, parties, and jurisdictions. The ROPA is a core requirement of both ISO 27701 and GDPR Article 30, and serves as the factual foundation for privacy risk assessments, DPIAs, and regulatory inquiries.

### What It Covers

- **Processing Activity Catalog** — Systematically document every activity that handles personal data, grouped by business function (HR, product, marketing, etc.)
- **Purpose and Legal Basis** — For each activity, record why PII is processed and the lawful basis (consent, contract, legal obligation, legitimate interest, etc.)
- **Data Categories and PII Principals** — Map what types of data are involved (identity, contact, health, financial, behavioral) and whose data it is
- **Recipients and Third Parties** — Identify internal departments and external parties that receive PII
- **Retention and Deletion** — Document how long PII is kept for each activity and the deletion or anonymization schedule
- **Cross-Border Transfers** — Flag transfers outside the originating jurisdiction and document the transfer mechanisms (adequacy decisions, SCCs, BCRs)
- **Data Flow Map** — Visualize PII flows between sources, systems, external recipients, and jurisdictions

## Example Conversation

> **You:** We need to build our PII processing inventory for MedSecure Health Technologies. We already have a PIMS scope statement. Our main processing activities are: patient health records (processed for healthcare providers), employee HR management, marketing analytics on website visitors, and recruitment.
>
> **Agent:** I've loaded your PIMS scope statement. I can see MedSecure acts as both a controller and processor, with HIPAA, GDPR, LGPD, and CCPA applicable. Let me walk through each processing activity systematically.
>
> Starting with **Patient Health Records Processing** — this is your processor activity. I need a few details:
>
> - What categories of health data do you receive? (diagnoses, medications, lab results, insurance info?)
> - How long do you retain patient data after a provider terminates their contract?
> - Does patient data flow to any sub-processors (cloud infrastructure, analytics providers)?
> - Is data transferred cross-border (e.g., EU patient data stored in the US)?
>
> **You:** We receive diagnoses, medications, lab results, and demographic data. We retain data for 30 days after contract termination, then delete. Our sub-processors are GCP (us-central1 and europe-west1) and Datadog for monitoring. EU patient data stays in europe-west1. US patient data is in us-central1.
>
> **Agent:** Excellent. Now for **Employee HR Management** — your controller activity. I'll document what I know from the scope and ask about specifics:
>
> - Payroll processing — do you use Workday for this, and does payroll data go to an external payroll provider?
> - Benefits administration — health insurance, retirement plans?
> - How long are employee records retained after termination?
>
> **You:** Yes, Workday handles everything. Payroll goes to ADP. Benefits go to United Healthcare and Fidelity. We retain employee records for 7 years after termination per legal requirements.
>
> **Agent:** I've now documented all four processing activities with complete fields and built the data flow map. Let me run both validation tools.
>
> `check_pii_inventory_completeness` on `output/PII-Processing-Inventory.md`:
>
> ```
> Processing activities found: 4
> Activities with complete required fields: 4/4 (100%)
>   [INFO] Field coverage: 28/28 fields present across 4 activities (100%).
> RESULT: PASS — All processing activities have required fields.
> ```
>
> `check_data_flow_consistency` comparing inventory against `output/Data-Flow-Map.md`:
>
> ```
> Processing activities in inventory: 4
> Activities with cross-border transfers: 1
> Consistency score: 100%
> RESULT: PASS — Data flow map is consistent with PII inventory.
> ```
>
> Both documents are validated. Your ROPA covers 4 processing activities with full field coverage, and the data flow map is consistent with the inventory.

## Sample Output Excerpt

Below is a representative excerpt from the PII Processing Inventory showing two of the documented processing activities.

---

# PII Processing Inventory — MedSecure Health Technologies

**Document version:** 1.0
**Last updated:** 2026-03-21
**Organization role:** PII Controller and PII Processor

## Patient Health Records Processing

- **Processing activity:** Ingestion, storage, and processing of patient health records on behalf of healthcare provider organizations
- **Purpose:** Enable healthcare providers to manage patient records through the MedSecure Platform, including clinical data analysis and reporting
- **Legal basis:** Contract — Data Processing Agreement with each healthcare provider (controller)
- **Data categories:** Demographic data (name, date of birth, address), diagnoses, medications, lab results, insurance information
- **PII principals:** Patients of healthcare provider organizations (~500,000 records)
- **Recipients:** Internal — Platform engineering team (for system maintenance, no direct access to patient content); External — GCP (infrastructure sub-processor), Datadog (monitoring sub-processor, metadata only)
- **Retention period:** Duration of provider contract + 30 days for deletion. Upon contract termination, all patient data is permanently deleted within 30 calendar days.
- **Cross-border transfers:** EU patient data remains in GCP europe-west1 (no cross-border transfer). US patient data in GCP us-central1. No transfers between regions. Sub-processor DPAs in place with SCCs for Datadog (US-based).
- **Technical and organizational measures:** Encryption at rest (AES-256) and in transit (TLS 1.3), role-based access control, audit logging, annual penetration testing

## Employee HR Management

- **Processing activity:** Full employee lifecycle management — recruitment, onboarding, payroll, benefits, performance reviews, offboarding
- **Purpose:** Fulfill employment obligations, administer compensation and benefits, maintain workforce records
- **Legal basis:** Contract (employment agreement) and legal obligation (tax reporting, labor law compliance)
- **Data categories:** Identity data (name, SSN/CPF, date of birth), contact data, financial data (bank account, salary), benefits data (health insurance elections, retirement contributions), performance records
- **PII principals:** Employees (~200 across US and Brazil offices)
- **Recipients:** Internal — HR department, Finance; External — ADP (payroll processing), United Healthcare (benefits), Fidelity (retirement), local tax authorities
- **Retention period:** 7 years after employment termination (legal requirement for tax and labor records). Performance records deleted after 3 years post-termination.
- **Cross-border transfers:** Employee data for US employees processed in the US (Workday US region). Brazilian employee data processed in Workday with data residency in the US — transfer mechanism: SCCs between MedSecure Brazil and MedSecure US, and Workday DPA with SCCs.
- **Technical and organizational measures:** Workday SOC 2 Type II certified, SSO with MFA, role-based access restricted to HR and authorized managers

<!-- /excerpt -->

## Extension Tools

### `check_pii_inventory_completeness`

Validates the PII processing inventory (ROPA) for completeness. Splits the document into individual processing activity sections and checks that each one has the required fields.

| Field Checked | Severity | What It Validates |
|---|---|---|
| Purpose | ERROR if missing | Each activity states why PII is processed |
| Legal basis | ERROR if missing | Lawful basis is identified (consent, contract, legal obligation, etc.) |
| Data categories | WARNING if missing | Types of personal data involved are listed |
| PII principals | WARNING if missing | Categories of affected individuals are identified |
| Recipients | WARNING if missing | Internal and external recipients are documented |
| Retention period | ERROR if missing | How long data is kept, with deletion schedule |
| Cross-border transfers | WARNING if missing | Transfer details or explicit statement of no transfers |

The tool also checks that cross-border transfers reference specific transfer mechanisms (adequacy decisions, SCCs, BCRs) when transfers are mentioned.

### `check_data_flow_consistency`

Cross-checks the data flow map against the PII processing inventory to ensure both documents tell the same story.

| Check | Severity | What It Validates |
|---|---|---|
| Transfer activities in flow map | ERROR if missing | Every activity with cross-border transfers appears in the data flow map |
| Flow map entities in inventory | WARNING if missing | Every system or party in the flow map is referenced in at least one processing activity |
| Regulation consistency | INFO | Regulations mentioned in the inventory also appear in the flow map |

Returns a consistency score and detailed findings for any mismatches between the two documents.

## Getting Started

To build an effective PII processing inventory, prepare the following:

1. **Complete the PIMS Scope first** — The agent loads the PIMS Scope Statement to understand your organization role, PII principal categories, applicable regulations, and system boundaries. If you have not defined the PIMS scope yet, use the ISO 27701 PIMS Scope Definition skill first.

2. **Map your business processes** — List every business function that handles personal data: product/service delivery, HR, marketing, sales, support, finance, recruitment. Think broadly — even visitor log books and badge access systems count.

3. **Know your systems** — For each process, identify the systems involved: your core product, HR platform, CRM, marketing automation, analytics tools, cloud infrastructure, and backup storage.

4. **Gather contracts and DPAs** — Have your data processing agreements, sub-processor lists, and third-party contracts available. These are critical for documenting recipients and cross-border transfers.

5. **Check retention policies** — Know (or be ready to decide) how long data is retained for each activity. Consider legal requirements (tax records, labor law) and business needs.

6. **Identify cross-border data flows** — Know where your data is stored and processed geographically. Which cloud regions? Which third-party processors are in different countries?

The skill produces two documents: `output/PII-Processing-Inventory.md` (the full ROPA) and `output/Data-Flow-Map.md` (visual description of PII flows).



---

Back to [Skill Library](https://rakenne.app/skills/index.md)