Implementing GDPR with ISO 27701 and ISO 27001
Jessica Doering

April 8, 2024



 min reading time

How ISO 27701 enables GDPR compliance

So ISO 27001, the APEX predator of information security, can help with GDPR compliance? Well, that sounds tempting. So you "just" need ISO 27001 certification and you're already compliant with the GDPR? Not quite. Let's take a closer look.

First of all, ISO 27001 does not directly address this issue. As always, it sends one of its many children ahead. In this case, ISO 27701

This influencer has its time in the data protection scene. 

So what is ISO 27701 and why is it often mentioned in the same breath as GDPR

What is ISO 27701?

The official wording from the International Organization for Standardization (ISO) is:

This document specifies requirements and provides guidance for establishing, implementing, maintaining, and continuously improving a Privacy Information Management System (PIMS) as an extension of ISO/IEC 27001 and ISO/IEC 27002 for privacy management in the context of the organization.

This document specifies PIMS-related requirements and provides guidance for PII managers and PII processors who are responsible and accountable for processing PII.

This document applies to all types and sizes of organizations, including public and private companies, government agencies, and not-for-profit organizations that are responsible for processing PII and/or process PII as part of an ISMS.

ISO 27701 is thus another representative of the ISO 27001 standard on data protection. It provides a framework for implementing and maintaining a Privacy Information Management System (PIMS). 

The mission of ISO 27701 is to help organizations protect the privacy rights of individuals by specifying a set of requirements for managing personal information.

ISO 27701 specifies requirements and provides guidance for establishing, implementing, maintaining, and continuously improving a personal information management system (PIMS) in the context of an organization's overall information security management system (ISMS).

Wait a minute...PIMS?

What is a Personal Information Management System (PIMS)?

A Personal Information Management System (PIMS) enables users to manage, organize and share their personal information in a way that reflects their values and preferences, while providing them with greater visibility and control over their data interactions with various entities, including businesses, government agencies and others. 

PIMS is the ultimate embodiment of a user-centric approach to information management, providing individuals with the freedom and autonomy to navigate the complex digital world with confidence and ease.

What are the requirements of ISO 27701?

The requirements of ISO 27701 include:

- Context of the organization: organizations need to establish the context of their PIMS, i.e., they need to determine the scope, objectives, and legal requirements related to privacy.

- Leadership: organizations must assign roles and responsibilities for privacy management and establish a privacy policy and objectives.

- Planning: organizations must plan and establish processes for managing privacy risks, including conducting risk assessments and implementing controls to mitigate those risks.

- Support: organizations must provide resources and support for their PIMS, including training, awareness, and communication of privacy policies and procedures.

- Operations: organizations must implement their PIMS, including identifying and classifying personal data, ensuring privacy by design and default, and responding to privacy incidents.

- Performance evaluation: organizations must monitor and measure the effectiveness of their PIMS, including conducting internal audits and reviews.

- Improvement: organizations must continuously improve their PIMS by identifying areas for improvement and implementing corrective and preventive actions.

These requirements are intended to be flexible and adaptable to the specific needs and circumstances of each organization, and organizations can use them to create a data protection management system that meets their unique needs.

Sound familiar with the GDPR. 

ISO 27701 can help organizations comply with the General Data Protection Regulation (GDPR) by providing additional guidance on GDPR implementation. 

We're getting closer and closer... 

GDPR briefly explained: the GDPR is a regulation on data protection and privacy for all individuals in the European Union (EU) and the European Economic Area (EEA).

Wanna learn morn about GDPR? Click here!

So what to do first? ISO 27001, ISO 27701 or GDPR?

First. Have a delicious cup of coffee! ☕️

To obtain ISO 27701 certification, an organization must first be ISO 27001 certified.

The reason for this is that ISO 27701 builds on the requirements and controls of ISO 27001 and includes additional privacy-specific requirements.

Therefore, to obtain ISO 27701 certification, an organization must first implement an ISMS that complies with ISO 27001!

And then implement a PIMS that meets the requirements of ISO 27701. 

During the certification audit for ISO 27701, both the ISMS and the PIMS are evaluated to ensure that the organization has implemented all the required controls and processes.

In summary, an organization cannot be certified to ISO 27701 without first being certified to ISO 27001, and both standards must be implemented together to receive ISO 27701 certification too.

ISO 27701 and GDPR

In addition: certification to ISO 27701 does not relieve an organization of the need to comply with data protection regulations such as the European Union's General Data Protection Regulation (GDPR).

ISO 27701 provides guidance and requirements for implementing a privacy information management system (PIMS) within an organization. The standard aligns with the data protection principles and concepts found in many data protection regulations, including GDPR. 

However, compliance with GDPR and other data protection regulations requires more than just implementing a PIMS. Organizations must also comply with the specific requirements of each regulation, including data protection principles, data subject rights, data processing requirements, data breach notification obligations, and other obligations applicable to each regulation.

In summary, ISO 27701 can help organizations comply with the GDPR by providing a framework for managing personal data and ensuring that individuals' data protection rights are protected. By implementing the ISO 27701 standard, organizations can demonstrate their commitment to data protection and improve their overall information security posture.

We help you with the bundle! Contact us!

Focus on building Security with Compliance in the background

Secfix has the largest EU auditors network and minimizes time, effort and cost through its platform.

non-binding and free of charge

Jessica Doering

Jess is the marketing mind at Secfix. She loves every dog on this planet!

ISO 27001

ISO 27001
ISO 27001