The fines are no longer hypothetical. In July 2019, the UK Information Commissioner’s Office announced its intention to fine British Airways £183 million for a data breach affecting 500,000 customers. Marriott International faced a £99 million fine for a breach exposing 339 million guest records. France’s CNIL fined Google €50 million for lack of transparency in how it processes personal data for advertising.
GDPR enforcement has arrived. And the organisations being scrutinised are discovering a painful truth: saying you are GDPR compliant and being able to demonstrate it to a regulator are two completely different things.
ISO 27701, published five months ago, is designed to close that gap. Here is why it matters more now than it did when it launched.
The Accountability Problem GDPR Created
GDPR’s accountability principle (Article 5(2)) requires organisations not just to comply with data protection obligations, but to be able to demonstrate that compliance. This is not a passive obligation. It requires documented evidence: records of processing activities, privacy impact assessments, consent records, data subject request logs, breach notification records, and evidence that controls are actually operating.
Most organisations spent 2018 writing policies and updating privacy notices. What they did not build was a managed system for generating, maintaining, and presenting that evidence on demand. When an enforcement action arrives — triggered by a data breach, a data subject complaint, or a regulatory sweep — the organisations that have a documented, audited privacy management system are in a categorically different position from those who have a folder of PDFs and a spreadsheet.
The enforcement actions of 2019 have made this concrete. British Airways did not fail because it lacked a privacy policy. It failed because its security and privacy controls were not adequate, and it could not demonstrate a systematic approach to managing personal data risk. That is precisely what ISO 27701 is designed to address.
What ISO 27701 Provides That Self-Assessment Does Not
There is no shortage of GDPR compliance checklists, self-assessment tools, and readiness questionnaires. Every law firm, consultancy, and software vendor has one. The problem is that self-assessment proves nothing to a third party. You are marking your own work.
ISO 27701 certification provides third-party verification by an accredited certification body. An independent auditor has reviewed your Privacy Information Management System, tested whether your controls are implemented and operating, and confirmed that your approach meets the requirements of an internationally recognised standard. That is a fundamentally different form of assurance — from a regulator’s perspective, a client’s perspective, and a data subject’s perspective.
Article 42 of GDPR explicitly provides for the use of approved certification mechanisms as a means of demonstrating compliance with GDPR obligations. ISO 27701 is the standard that was built for exactly this purpose.
The Five Things Regulators Look For — and What Your PIMS Provides
Records of processing activities (Article 30). ISO 27701 requires a documented inventory of PII processing activities, including purposes, categories of data, retention periods, and third-party transfers. This is your Article 30 register, structured and maintained within your PIMS.
Lawful basis and consent management. Your PIMS documents the lawful basis for each processing activity and maintains records of consent where consent is relied upon. When a regulator asks “on what basis are you processing this data?”, the answer is in your PIMS documentation — not in someone’s memory.
Data subject rights procedures. ISO 27701 requires documented procedures for handling data subject requests: access, rectification, erasure, portability, objection. It also requires records of how requests were handled and within what timeframes. This is the audit trail that demonstrates rights are respected in practice, not just in policy.
Breach response capability. Your PIMS includes an incident response process specifically for personal data breaches, including assessment, notification to supervisory authorities within 72 hours (Article 33), and communication to affected data subjects (Article 34) where required. The process is documented, trained, and tested — not improvised under pressure.
Privacy risk assessment. ISO 27701 requires privacy risks to be assessed as part of the PIMS — covering both the likelihood and impact of risks to data subjects from your processing activities. This is the documented risk management evidence that demonstrates you have taken a systematic approach to identifying and mitigating privacy risks.
How the Enforcement Landscape Is Changing the Calculation
In 2018, many organisations made a rational if uncomfortable calculation: the cost of thorough GDPR compliance exceeds the expected cost of enforcement. With fines unlikely to materialise quickly and regulatory capacity limited, the risk-adjusted case for investment was not obvious.
That calculation has changed. Supervisory authorities across Europe are now actively investigating complaints, conducting audits, and issuing fines. The ICO, CNIL, and their counterparts have demonstrated both the willingness and capacity to act. And the reputational damage from a publicised enforcement action — regardless of the fine amount — is increasingly significant in markets where clients and partners conduct privacy due diligence.
The organisations that invest in ISO 27701 certification now are making a strategic decision to get ahead of enforcement pressure rather than respond to it. They are also building a competitive differentiator: as enterprise procurement increasingly requires evidence of privacy controls, a certified PIMS becomes a commercial asset, not just a compliance cost.
Bitsecura builds Privacy Information Management Systems that are designed to be demonstrated — to regulators, to clients, and to the data subjects whose trust you depend on. We start with a gap assessment that maps your current practices against ISO 27701:2019, then build the PIMS around your actual processing activities.
If the enforcement actions of 2019 have made you reconsider your privacy posture, start a conversation with us here. No pitch, no commitment — just an honest discussion of where you stand.
Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.