The first question every ISO 27701 implementation must answer is also the one most organisations get wrong. Are you a PII Controller, a PII Processor, or both? The answer determines which controls apply to you, how your PIMS is structured, and what your certification covers. Getting it wrong means building a privacy management system around the wrong set of obligations — and discovering the error at certification audit.

This post gives you a clear, practical account of how ISO 27701 defines the two roles, how they map to GDPR’s controller/processor distinction, and how to determine which applies to your organisation.

The Definitions That Matter

ISO 27701:2019 adopts the same fundamental distinction as GDPR:

A PII Controller is an organisation (or individual) that determines the purposes and means of processing personal data. You decide why the data is collected and how it will be used. Even if you outsource the technical processing to a third party, if you are making the decisions about what data is collected and why, you are the controller.

A PII Processor is an organisation that processes personal data on behalf of a controller, following the controller’s documented instructions. You are not making decisions about the purpose of the processing — you are performing a service that involves handling personal data as part of that service.

The boundary sounds straightforward. In practice, it requires careful analysis — because many organisations are both, depending on the processing activity being considered.

How to Determine Your Role in Practice

The clearest test is: whose purpose does this processing serve, and who decides how it is carried out?

A payroll bureau processes employee salary data on behalf of its clients. The clients (employers) decide what data is processed and why — they are the controllers. The payroll bureau processes data to the clients’ instructions — it is the processor. The payroll bureau holds its own employee HR data and decides how to use it — for that data, it is the controller.

A SaaS platform hosts customer data in its system. The customers (companies using the platform) decide what data to input and why — they are controllers of that data. The SaaS platform processes it as instructed — it is the processor. But the SaaS platform also processes usage analytics to improve its product — for that processing, it is the controller.

The result, for most organisations, is that they are simultaneously controllers for some processing activities and processors for others. ISO 27701 accommodates this: you can be certified as both a controller and processor, with your PIMS covering the obligations of both roles.

Why the Distinction Drives Your PIMS Structure

ISO 27701:2019 contains separate Annexes for controllers and processors — Annex A for PII Controllers and Annex B for PII Processors. The controls in each Annex reflect the different obligations GDPR places on each role.

Controller-specific controls include: establishing a legal basis for each processing activity, managing consent collection and withdrawal, providing privacy notices to data subjects, facilitating data subject rights (access, erasure, portability, restriction, objection), conducting Data Protection Impact Assessments (DPIAs) for high-risk processing, and managing transfers of data to third countries.

Processor-specific controls include: processing only to the documented instructions of the controller, maintaining records of processing activities carried out on behalf of controllers, assisting controllers in meeting their data subject rights obligations, notifying controllers of data breaches without undue delay, and ensuring sub-processors are subject to equivalent obligations.

An organisation that has incorrectly identified itself as only a processor — when it is in fact also acting as a controller for some of its processing activities — will have an PIMS that is missing an entire category of controls. Those missing controls will be found during internal audit or certification audit, requiring potentially significant rework.

The Data Mapping Step You Cannot Skip

The only reliable way to identify your controller/processor status across all processing activities is a comprehensive data mapping exercise. This involves cataloguing every category of personal data your organisation processes, the purpose for which it is processed, the legal basis relied upon, the systems involved, the recipients and third-party processors engaged, and the retention periods applied.

For each processing activity identified, you then assess: are we determining the purpose and means of this processing (controller), or are we processing to someone else’s instructions (processor)?

This exercise is not just an ISO 27701 requirement. It is the foundation of GDPR compliance — Article 30 requires both controllers and processors to maintain records of processing activities. The data mapping work you do to identify your PIMS structure is the same work that produces your Article 30 register.

Where Organisations Most Often Get This Wrong

SaaS and technology companies commonly assume they are pure processors because they are providing a platform service. They miss the controller obligations that arise from their own analytics processing, their use of customer data for product improvement, or their handling of prospect and marketing data.

Professional services firms often overlook their processor role. A law firm or consultancy handling client personal data under a service agreement may be acting as a processor for that data — but because they think of themselves as “professional advisors” rather than “data processors,” they miss the processor-specific obligations.

Group companies frequently have both controller and processor relationships within the same corporate structure — one entity providing services to others — that require careful mapping to determine which obligations apply to which entity in which direction.

The Practical Starting Point

Before designing your PIMS, before selecting controls, before writing policies — map your data. Understand every processing activity, its purpose, its legal basis, and your role in it. That map is the foundation on which your PIMS is built, and it is the document an auditor will scrutinise when they want to understand whether your PIMS addresses the right obligations.

At Bitsecura, the first step of every ISO 27701 engagement is a data flow mapping exercise — a systematic inventory of PII processing activities that identifies both your controller and processor obligations. We build your PIMS on that foundation, not on assumptions about which role applies.

If you are trying to work out which role applies to your organisation — or if you suspect your current PIMS structure may not be addressing all your obligations — talk to us here. No strings, no sales process.


Bitsecura provides ISO 27701 PIMS implementation, internal audit, and privacy gap assessment services. Learn more about our ISO 27701 services.