Purpose Legitimacy and Specification

ISO 27018 requires that all PII processing must have a legitimate, specific, and documented purpose. This control prevents unauthorized or excessive data processing.

Core Requirements

Purpose Legitimacy

Definition: Processing must have a lawful and justifiable reason.

Legal Bases for Processing:

1. Consent - Individual has explicitly agreed
2. Contract - Necessary to fulfill contractual obligations
3. Legal Obligation - Required by law or regulation
4. Vital Interests - Protecting life or safety
5. Public Interest - Government or public sector functions
6. Legitimate Interest - Reasonable business need (with balancing test)

Purpose Specification

Definition: Processing purposes must be clearly defined and documented.

Requirements:

• Document each processing purpose before collection
• Purposes must be specific, not vague
• Communicate purposes to data subjects
• Limit processing to stated purposes only
• Re-evaluate purposes when systems change

Control CLD.6.4: Purpose Legitimacy and Specification

ISO 27018 Requirement: "The organization shall identify and document the purposes for which PII is collected, used, retained and disclosed, to maintain legitimacy of processing."

Implementation Steps

Step 1: Inventory PII Processing Activities Create a comprehensive register:

Processing Activity Register Template:

Activity ID: [Unique identifier]
Service/System: [Name of cloud service]
PII Categories: [Types of PII processed]
Purpose: [Specific, documented purpose]
Legal Basis: [Consent, contract, legal obligation, etc.]
Data Subjects: [Who the PII relates to]
Recipients: [Who receives/accesses the PII]
Retention Period: [How long data is kept]
Cross-border Transfers: [If applicable]
Security Measures: [Controls in place]

Step 2: Document Legitimate Purposes For each processing activity, clearly state:

• What is being done with the PII
• Why it's necessary
• Who benefits from the processing
• Whether it can be accomplished without PII

Step 3: Communicate Purposes Ensure transparency through:

• Privacy policies
• Terms of service
• Consent forms
• Data processing agreements
• Privacy notices

Step 4: Implement Purpose Controls Technical and organizational measures:

• Access controls based on purpose
• Data labeling/tagging by purpose
• Automated compliance checks
• Purpose-based retention policies

Purpose Categories and Examples

Service Provision

Legitimate Purposes:

• Account creation and authentication
• Service delivery and functionality
• Customer support and troubleshooting
• Billing and payment processing
• Contract administration

Example: "We process your email address and payment information to create your account, deliver the service, and process monthly subscription payments."

Service Improvement

Legitimate Purposes:

• Product development and enhancement
• Quality assurance and testing
• Usage analytics (aggregated)
• Performance optimization
• Bug identification and resolution

Example: "We analyze aggregated usage patterns to identify performance bottlenecks and improve service reliability."

Legal and Compliance

Legitimate Purposes:

• Regulatory compliance (GDPR, HIPAA, etc.)
• Legal dispute resolution
• Fraud prevention and detection
• Security incident response
• Law enforcement cooperation

Example: "We retain transaction logs for 7 years to comply with financial regulations and support potential legal proceedings."

Marketing and Communications

Legitimate Purposes (Consent Required):

• Newsletter and promotional emails
• Product announcements
• Customer satisfaction surveys
• Marketing analytics
• Personalized advertising

Example: "With your consent, we will send you monthly newsletters about new features and special offers."

Purpose Limitation Principle

What is Purpose Creep?

Definition: Using PII for purposes beyond the original, stated intent.

Examples of Purpose Creep: ❌ Collecting email for account recovery, then using for marketing ❌ Processing location data for service delivery, then selling to advertisers ❌ Storing health data for treatment, then using for research without consent

Preventing Purpose Creep

Controls to Implement:

1. Purpose-Based Access Controls

   • Marketing team cannot access support ticket PII
   • Analytics systems receive anonymized data only
   • Cross-department data sharing requires approval

2. Technical Segregation

   • Separate databases for different purposes
   • Purpose flags in data records
   • Automated enforcement of purpose boundaries

3. Regular Audits

   • Quarterly review of processing activities
   • Purpose alignment verification
   • Detection of unauthorized uses

4. Change Management

   • New purposes require consent
   • Update privacy policies when purposes change
   • Notify customers of material changes

Purpose Documentation Requirements

Data Processing Register

Minimum Information:

• Name and contact details of controller (CSP)
• Purposes of processing
• Description of data subjects and PII categories
• Recipients of PII (including sub-processors)
• International transfers (if applicable)
• Retention periods
• Security measures description

Privacy Policy Content

Must Include:

• Clear statement of purposes
• Legal basis for each purpose
• How long data is retained for each purpose
• Rights of data subjects
• How to withdraw consent
• Contact information for privacy inquiries

Cloud Service Provider Responsibilities

For Customer Data

CSP Obligations:

• Process only as instructed by customer
• Do not use customer PII for own purposes
• Document processing purposes in DPA
• Implement technical controls to enforce limits
• Audit and demonstrate compliance

Example DPA Clause: "Provider shall process Customer PII solely for the purpose of providing the Services as defined in Section 2, and shall not use Customer PII for Provider's own purposes, including marketing, analytics, or service improvement, without separate written consent from Customer."

For CSP's Own Data

When CSP Collects PII Directly:

• Document legitimate purposes
• Provide privacy notice
• Obtain consent where required
• Implement same controls as customer data
• Maintain separate processing register

Practical Implementation

Purpose Tagging System

Technical Implementation:

interface PIIRecord {
  data: string;
  purposes: Purpose[];
  legalBasis: LegalBasis;
  consentId?: string;
  retentionDate: Date;
}

enum Purpose {
  SERVICE_DELIVERY = "service_delivery",
  CUSTOMER_SUPPORT = "customer_support",
  BILLING = "billing",
  ANALYTICS = "analytics",
  MARKETING = "marketing",
  LEGAL_COMPLIANCE = "legal_compliance"
}

enum LegalBasis {
  CONSENT = "consent",
  CONTRACT = "contract",
  LEGAL_OBLIGATION = "legal_obligation",
  LEGITIMATE_INTEREST = "legitimate_interest"
}

function canProcessForPurpose(
  record: PIIRecord,
  requestedPurpose: Purpose
): boolean {
  return record.purposes.includes(requestedPurpose);
}

Purpose-Based Retention

Implementation Matrix:

Common Pitfalls

Vague Purpose Statements

❌ Wrong: "We process data to improve our business" ✓ Right: "We analyze aggregated usage statistics to identify and fix performance issues in our service"

Missing Legal Basis

❌ Wrong: Stating purpose without legal justification ✓ Right: "Purpose: Monthly newsletter. Legal Basis: Consent obtained on [date]"

Incompatible Purposes

❌ Wrong: Using customer support tickets to train marketing AI ✓ Right: Using only anonymized, aggregated data for training

No Purpose Review

❌ Wrong: Set purposes once, never revisit ✓ Right: Quarterly review and update of processing purposes

Audit Evidence

What Auditors Expect to See:

• Complete data processing register
• Documented purposes for all PII processing
• Legal basis identified for each purpose
• Privacy policies aligned with actual practices
• Technical controls enforcing purpose limitation
• Evidence of purpose reviews (meeting minutes, change logs)
• Consent records linked to specific purposes
• DPAs with clear purpose specifications

Self-Assessment Checklist

Purpose Legitimacy:

• Every PII processing activity has documented purpose
• Legal basis identified for each purpose
• Purposes are specific and granular
• Purposes communicated to data subjects
• Purposes aligned with expectations

Purpose Limitation:

• Technical controls prevent unauthorized purposes
• Access controls based on purpose
• Regular audits of actual vs. stated purposes
• Change management for new purposes
• Purpose-based retention policies

Documentation:

• Data processing register maintained
• Privacy policy covers all purposes
• DPAs specify processing purposes
• Purpose documentation readily available
• Regular review and updates

Case Study: SaaS CRM Platform

Scenario: Cloud CRM processes customer contact information

Purpose Documentation:

1. Account Management

   • Legal Basis: Contract
   • PII: Name, email, company
   • Purpose: Create and maintain user accounts
   • Retention: Duration of contract + 30 days

2. Service Delivery

   • Legal Basis: Contract
   • PII: All CRM data
   • Purpose: Provide CRM functionality
   • Retention: Duration of contract + 30 days

3. Customer Support

   • Legal Basis: Legitimate Interest
   • PII: Support tickets, interaction logs
   • Purpose: Resolve customer issues
   • Retention: 3 years after resolution

4. Product Improvement

   • Legal Basis: Legitimate Interest
   • PII: Anonymized usage data
   • Purpose: Identify bugs and optimize performance
   • Retention: 2 years

5. Marketing Communications

   • Legal Basis: Consent
   • PII: Email, name
   • Purpose: Send product updates and newsletters
   • Retention: Until consent withdrawn

Technical Controls:

• Marketing system cannot access CRM customer data
• Support tickets automatically deleted after 3 years
• Usage analytics receive only anonymized data
• Purpose flags enforced in database access layer

Next Lesson: Collection limitation controls.