GDPR gave organisations an obligation but not a blueprint. It told you to implement “appropriate technical and organisational measures” for privacy. It required you to demonstrate accountability. It threatened fines of up to €20 million or 4% of global annual turnover for getting it wrong. What it did not give you was a certifiable framework for showing regulators, clients, and data subjects that you had actually done the work.
ISO/IEC 27701:2019, published this August, changes that. It is the first international standard dedicated to Privacy Information Management Systems — and it is the closest thing to a certifiable GDPR compliance framework that exists.
This post explains what it is, what it requires, and why organisations that move early will have a meaningful advantage over those that wait.
What ISO 27701 Actually Is
ISO 27701:2019 is an extension to ISO 27001 and ISO 27002. It builds a Privacy Information Management System (PIMS) on top of the information security management foundations those standards provide. Organisations pursuing ISO 27701 certification must either already hold ISO 27001 certification or implement both standards together.
The standard defines controls for two distinct roles:
- PII Controllers — organisations that determine the purposes and means of processing personal data (most organisations that collect and use customer data directly)
- PII Processors — organisations that process personal data on behalf of controllers (cloud providers, payroll processors, SaaS vendors, managed service providers)
This distinction maps directly onto the GDPR’s controller/processor framework. The controls for each role reflect the different obligations GDPR places on them — which means ISO 27701 is not just a generic privacy framework. It is designed to align with the specific structure of European data protection law.
What a PIMS Actually Requires
A Privacy Information Management System under ISO 27701 is not a privacy policy and a data register. It is a managed system — documented, operated, audited, and continually improved — that governs how your organisation handles personally identifiable information (PII) across its operations.
The standard requires organisations to:
- Map and document all PII processing activities, including data flows, retention periods, and third-party transfers
- Implement controls for consent management, data subject rights (access, rectification, erasure, portability), and privacy notices
- Manage privacy risks through a formal risk assessment process that covers PII processing specifically
- Define roles and responsibilities for privacy management, including the DPO function where applicable
- Establish processes for handling data breaches, data subject requests, and regulatory enquiries
- Maintain records of processing activities (Article 30 GDPR) as part of the PIMS documentation
- Conduct internal audits of the PIMS and management reviews at planned intervals
For organisations that have been working on GDPR compliance since 2018, much of this will be familiar territory. The value of ISO 27701 is not that it introduces new concepts — it is that it provides a structured, auditable framework for demonstrating that those concepts are implemented and operating effectively.
Why Certification Matters Beyond Compliance
GDPR requires accountability. It does not define precisely how accountability should be demonstrated. ISO 27701 certification provides an internationally recognised, third-party-verified answer to that question.
When a data subject asks how their data is protected, you have a certificate. When a regulator investigates a complaint and asks what measures you have in place, you have documented evidence from a certification audit. When a client’s procurement team asks for evidence of privacy controls, you have an audited management system — not a self-assessment questionnaire.
The Article 42 of GDPR explicitly refers to the use of approved certification mechanisms as a means to demonstrate compliance. ISO 27701 is positioning itself as the leading mechanism for this purpose. Organisations that hold certification when enforcement actions and client demands intensify will be in a substantively different position from those that do not.
Who Should Move on This Now
ISO 27701 is immediately relevant for:
- Cloud and SaaS providers processing customer data as PII Processors — where enterprise clients are increasingly requiring evidence of privacy controls in vendor assessments
- Healthcare and financial services organisations handling large volumes of sensitive personal data under sector-specific regulatory obligations
- Professional services firms processing employee and client PII across multiple jurisdictions
- Any organisation that has experienced a data breach and needs to demonstrate to a regulator that its privacy controls have been substantially improved
For organisations already certified to ISO 27001, the incremental investment in ISO 27701 is lower than starting from scratch — the management system infrastructure is already in place. The extension builds on it rather than replacing it.
The Honest Starting Point
The first question most organisations need to answer is not “how do we certify?” but “where are we actually starting from?” A privacy gap assessment — a structured comparison of current practices against ISO 27701:2019 controls — provides the baseline. Without it, implementation efforts are either over-scoped (addressing things that are already in place) or under-scoped (missing gaps that will surface at certification audit).
At Bitsecura, we work with organisations to build Privacy Information Management Systems that are designed to be certified and maintained — not just documented. We start with a gap assessment that tells you exactly where you stand, then build the PIMS around your actual PII processing activities and risk profile. No generic templates.
If you want to understand what ISO 27701 means for your organisation specifically, get in touch here. No obligation — just a straight conversation about where to start.
Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.