# ISO 27701 PIMS Extension Author > Guided elaboration of PIMS documentation as an extension to ISMS: PII processing inventory, privacy objectives, processing purposes and legal basis, controller/processor annex controls, and privacy policy drafting aligned to Clause 6 controller obligations. Tags: ISO 27701, Privacy, PIMS, PII, Compliance, Privacy Policy ## Example Prompts - Draft our PII processing inventory with purpose, legal basis, retention - Implement Clause 6 and 7 controls for our PIMS - Check that each processing activity and controller/processor control is documented - Draft a privacy policy aligned to ISO 27701 Clause 6 controller requirements - Validate our privacy policy covers all Clause 6 mandatory topics URL: https://rakenne.app/skills/iso27701-pims-extension-author/index.md Try this skill: https://rakenne.app/a/?skill=iso27701-pims-extension-author ## Overview Guided elaboration of PIMS documentation as an extension to ISMS: PII processing inventory, privacy objectives, processing purposes and legal basis, controller/processor annex controls, and privacy policy drafting aligned to ISO 27701 Clause 6 controller obligations. ## Getting Started Add your source materials to the project workspace, then activate the *ISO 27701 PIMS Extension Author* skill. The agent will guide you through the process step by step. The skill covers two main outputs: 1. **PIMS document** — PII inventory with purpose, legal basis, and retention per processing activity, plus Clause 6 (controller) and Clause 7 (processor) controls with implementation or justification. 2. **Privacy policy** — A public-facing privacy policy aligned to Clause 6 controller obligations, cross-referenced against the PII inventory. ## Example Conversation > **You:** We need a PII inventory and PIMS extension for our ISO 27001. We're both controller and processor for some activities. > > **Agent:** I'll draft the PII processing inventory with purpose, legal basis, and retention per activity, and map Clause 6 (controller) and Clause 7 (processor) controls with implementation or justification. > > **You:** Run the validator on the PIMS document. > > **Agent:** I ran `check_pii_inventory_controller_processor` on your PIMS document. PII fields and controller/processor content are present. No warnings — all processing activities have purpose, legal basis, and retention documented. > > **You:** Now draft a privacy policy based on this inventory, aligned to Clause 6. > > **Agent:** I'll use the privacy policy template and populate each section from the PII inventory. The policy covers: controller identity, purposes and legal basis per processing activity, data categories, recipients and transfers, retention periods, data subject rights, consent and withdrawal mechanisms, automated decision-making disclosures, and the complaints process. > > **You:** Validate the privacy policy. > > **Agent:** I ran `check_privacy_policy_clause6`. Coverage: 14/14 topics (100%). All Clause 6 mandatory topics are addressed. No warnings. ## Sample Output Excerpt — PII Inventory Below is an excerpt from the PII processing inventory section of a PIMS document. --- | Processing activity | Purpose | Legal basis | Data categories | Retention | |---|---|---|---|---| | HR payroll | Salary and benefits administration | Contract (Art. 6(1)(b)) | Employee name, bank details, tax ID | 7 years post-employment | | Customer onboarding | Account creation and identity verification | Contract (Art. 6(1)(b)) | Name, email, phone, ID document | Duration of contract + 2 years | | Marketing analytics | Campaign performance and audience insights | Legitimate interest (Art. 6(1)(f)) | Pseudonymised browsing behaviour, device ID | 13 months from collection | **Clause 6.2.1** — Implemented via HR Data Protection Procedure v2. **Clause 6.5.2** — Third-party data sharing governed by processor agreements register. --- ## Sample Output Excerpt — Privacy Policy Below is an excerpt from a privacy policy drafted by the skill, aligned to Clause 6 controller obligations. --- ### 1. Controller identity and contact details Acme Corp Ltd, registered at 42 Innovation Street, London EC1A 1BB, is the controller responsible for your personal data. - **Email:** privacy@acme-corp.example - **Data Protection Officer:** Jane Smith, dpo@acme-corp.example ### 2. Purposes of processing | Processing activity | Purpose | Legal basis | |---|---|---| | Customer onboarding | Account creation and identity verification | Contract | | Marketing analytics | Campaign performance measurement | Legitimate interest | | Newsletter | Product updates and offers | Consent | ### 7. Your rights — access, rectification and erasure (Clause 6.7) You have the right of access, rectification, erasure, and restriction regarding your personal data. To exercise any of these rights, contact us at privacy@acme-corp.example. ### 8. Your rights — portability and objection (Clause 6.8) You have the right to data portability (where processing is based on consent or contract) and the right to object to processing based on legitimate interests or direct marketing. ### 9. Consent and withdrawal (Clause 6.2.3 / 6.2.4) Where processing is based on consent (e.g. newsletter), you may withdraw at any time via your account settings or by emailing privacy@acme-corp.example. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. --- ## Built-in Validation Tools The skill includes two extension tools that check PIMS documentation and privacy policies for completeness. ### check_pii_inventory_controller_processor Validates the PIMS document for PII inventory and controller/processor control coverage. | Check | What it validates | |-------|-------------------| | **PII fields** | Detects purpose, legal basis, retention, and processing activity references | | **Controller/processor controls** | Checks that Clause 6/7 controls have implementation or justification documented | | **Findings** | Reports WARNING when PII fields or control justifications are missing | ### check_privacy_policy_clause6 Validates a privacy policy against all 14 Clause 6 controller topics. Critical topics (marked below) always produce an ERROR when missing; non-critical topics produce a WARNING. | Check | Clause | Critical | What it validates | |-------|--------|:--------:|-------------------| | **Controller identity and contact** | 6.3.1 | Yes | Organisation name, address, contact details | | **Purposes of processing** | 6.3.1 | Yes | Clearly stated processing purposes | | **Legal basis** | 6.3.1 | Yes | Legal basis per processing activity | | **Data categories** | 6.3.1 | Yes | Types of personal data collected | | **Recipients and disclosures** | 6.3.1 / 6.5.3 | Yes | Categories of recipients and third parties | | **International transfers** | 6.5.2 | No | Transfer mechanisms (SCCs, BCRs) and safeguards | | **Retention periods** | 6.5.3 | Yes | Retention period or criteria per data category | | **Rights — access, rectification, erasure** | 6.7 | Yes | Access, rectification, erasure, restriction | | **Rights — objection, portability, restriction** | 6.8 | Yes | Objection, portability (GDPR Art. 20), restriction | | **Consent and withdrawal** | 6.2.3 / 6.2.4 | No | Consent mechanism and withdrawal process | | **Automated decision-making** | 6.9.1 | No | Profiling disclosures and right to contest | | **DPO or privacy contact** | 6.3.1 | No | Data Protection Officer or privacy team contact | | **Complaints** | 6.8 | Yes | Right to lodge a complaint with supervisory authority | | **Policy update notice** | 6.3.1 (good practice) | No | How changes to the policy are communicated | ### Example validation output ``` === ISO 27701 CLAUSE 6 — PRIVACY POLICY COVERAGE === Document: docs/privacy-policy.md Coverage: 13/14 topics (93%) --- PRESENT --- [OK] Controller identity and contact details (6.3.1) [OK] Purposes of processing (6.3.1) [OK] Legal basis for each processing activity (6.3.1) [OK] Data categories collected (6.3.1) [OK] Recipients and recipient categories (6.3.1 / 6.5.3) [OK] Retention periods (6.5.3) [OK] Data subject rights — access, rectification, erasure (6.7) [OK] Data subject rights — objection, portability, restriction (6.8) [OK] Consent and withdrawal mechanisms (6.2.3 / 6.2.4) [OK] Automated decision-making and profiling (6.9.1) [OK] DPO or privacy contact (6.3.1) [OK] Complaints and supervisory authority (6.8) [OK] Policy update notice (6.3.1) --- MISSING --- [MISSING] International transfers and safeguards (6.5.2) --- FINDINGS --- [WARNING] Missing Clause 6 topic: International transfers and safeguards (6.5.2) Errors: 0, Warnings: 1, Info: 0 ``` Run `check_privacy_policy_clause6` on your privacy policy after drafting or updating; address any missing topics before publication or audit. --- Back to [Skill Library](https://rakenne.app/skills/index.md)