ISO 277017 min read

ISO 27701 and GDPR: Complete Mapping Guide

ISO 27701 was designed with GDPR requirements in mind, and Annex D of the standard provides an explicit mapping between ISO 27701 controls and GDPR articles. This alignment makes ISO 27701 certification valuable for demonstrating systematic GDPR compliance support.

Key Takeaways

Point Summary
Design alignment ISO 27701 explicitly designed to support GDPR compliance
Mapping provided Annex D maps controls to GDPR articles
Controller coverage Annex A controls map to controller obligations (Art. 5-25)
Processor coverage Annex B controls map to processor obligations (Art. 28-33)
Important caveat Certification supports but doesn't equal GDPR compliance
Documentation benefit ISO 27701 creates GDPR accountability evidence

Quick Answer: ISO 27701 provides structured support for GDPR compliance through explicit mapping between its controls and GDPR articles. Annex A controls address controller requirements, Annex B addresses processor requirements. However, ISO 27701 certification demonstrates systematic privacy management, not legal GDPR compliance, which requires additional legal and operational measures.

Understanding the Relationship

Certification vs. Legal Compliance

Aspect ISO 27701 Certification GDPR Compliance
Nature Technical standard certification Legal requirement
Scope Privacy management system All GDPR obligations
Assessment Auditor against standard Supervisory authority interpretation
Outcome Certificate Ongoing legal compliance
Liability None from certification Legal penalties for non-compliance

ISO 27701 certification supports GDPR compliance by:

  • Providing systematic framework for privacy management
  • Creating documented evidence of accountability
  • Establishing repeatable processes for rights and obligations
  • Demonstrating commitment to privacy protection

ISO 27701 certification does not:

  • Guarantee GDPR legal compliance
  • Replace legal analysis of processing activities
  • Substitute for Data Protection Impact Assessments
  • Eliminate need for legal counsel on complex matters

GDPR Principles Mapping

Article 5 Principles Alignment

GDPR Principle Article 5 Reference ISO 27701 Coverage
Lawfulness, fairness, transparency Art. 5(1)(a) A.7.2.1, A.7.2.2, A.7.3.2
Purpose limitation Art. 5(1)(b) A.7.2.1, A.7.2.3
Data minimization Art. 5(1)(c) A.7.4.1, A.7.4.4
Accuracy Art. 5(1)(d) A.7.4.3
Storage limitation Art. 5(1)(e) A.7.4.7, A.7.4.8
Integrity and confidentiality Art. 5(1)(f) ISO 27001 controls + A.7.4.9
Accountability Art. 5(2) PIMS framework, A.7.2.8

Controller Obligations Mapping

Lawful Basis (Article 6)

GDPR Requirement ISO 27701 Control Implementation
Identify lawful basis A.7.2.2 Legal basis register
Document basis A.7.2.2 Processing records
Consent requirements A.7.2.4 Consent management
Purpose specification A.7.2.1 Purpose documentation

Consent (Articles 7-8)

GDPR Requirement ISO 27701 Control Implementation
Conditions for consent A.7.2.4 Consent mechanisms
Withdrawal mechanism A.7.3.3 Withdrawal procedures
Consent modification A.7.3.4 Preference management
Children's consent A.7.2.4 Age verification, parental consent

Transparency (Articles 12-14)

GDPR Requirement ISO 27701 Control Implementation
Transparent information A.7.3.2 Privacy notices
Clear communication A.7.3.2 Plain language policies
Information at collection A.7.3.2 Collection point notices
Indirect collection info A.7.3.2 Third-party data notices

Data Subject Rights (Articles 15-22)

GDPR Right Article ISO 27701 Control Implementation
Access Art. 15 A.7.3.6 DSAR process
Rectification Art. 16 A.7.3.7 Correction procedures
Erasure Art. 17 A.7.3.8 Deletion procedures
Restriction Art. 18 A.7.3.5 Processing restriction
Notification Art. 19 A.7.3.9 Third-party notification
Portability Art. 20 A.7.3.10 Data export
Objection Art. 21 A.7.3.5 Objection handling
Automated decisions Art. 22 A.7.2.1 Profiling controls

Privacy by Design (Article 25)

GDPR Requirement ISO 27701 Control Implementation
Data protection by design A.7.4 series Privacy by design process
Data protection by default A.7.4.1, A.7.4.2 Default privacy settings
Minimization A.7.4.4 Collection limitation
Pseudonymization A.7.4.5 De-identification

Records of Processing (Article 30)

GDPR Requirement ISO 27701 Control Implementation
Controller records A.7.2.8 Processing inventory
Processor records B.8.2.6 Processor register
Record contents A.7.2.8 Required fields documented
Record availability A.7.2.8 Accessible for supervisory authority

Security (Article 32)

GDPR Requirement ISO 27701 Control Implementation
Appropriate measures ISO 27001 Annex A Security controls
Pseudonymization A.7.4.5 De-identification
Confidentiality A.7.4.9 Access controls
Regular testing ISO 27001 9.2 Security audits

Data Protection Impact Assessment (Article 35)

GDPR Requirement ISO 27701 Control Implementation
DPIA requirement A.7.2.5 PIA process
DPIA content A.7.2.5 Assessment template
High-risk processing A.7.2.5 Risk criteria
DPO consultation A.7.2.5 DPO involvement

Processor Obligations Mapping

Processor Requirements (Article 28)

GDPR Requirement ISO 27701 Control Implementation
Written contract B.8.2.1 DPA in place
Processing instructions B.8.2.2 Instruction documentation
Confidentiality B.8.2.1 Personnel obligations
Security measures ISO 27001 Technical and organizational measures
Sub-processor use B.8.5.1-5 Sub-processor management
Controller assistance B.8.2.5, B.8.3.2 Support processes
Audit cooperation B.8.2.1 Audit procedures
Deletion/return B.8.6.1-4 End of service procedures

Breach Notification (Articles 33-34)

GDPR Requirement ISO 27701 Control Implementation
Processor notification to controller B.8.4.1 Without undue delay after becoming aware
Controller notification to supervisory authority Clause 10 Within 72 hours of becoming aware
Notification content ISO 27001 A.5.24 Required information per Article 33(3)
Data subject notification A.7.3.9 When likely high risk to individuals

Important timing clarification: The 72-hour deadline in GDPR Article 33 applies specifically to controllers notifying the supervisory authority. Processors must notify controllers "without undue delay" but GDPR does not specify exact hours. Many Data Processing Agreements contractually require processor notification within 24-48 hours.

International Transfers Mapping

Transfer Requirements (Chapter V)

GDPR Requirement ISO 27701 Coverage Implementation
Transfer basis A.7.5.2 Transfer documentation
Adequacy decisions A.7.5.2 Country assessment
Standard clauses B.8.5.5 SCCs implementation
Binding corporate rules A.7.5.4 BCR documentation
Derogations A.7.5.2 Specific consent, contracts

Creating GDPR Compliance Evidence

Documentation Framework

GDPR Accountability Evidence ISO 27701 Source
Privacy policy Clause 5.2.1
Processing records A.7.2.8, B.8.2.6
Legal basis documentation A.7.2.2
Consent records A.7.2.4
DPIA records A.7.2.5
Processor agreements A.7.2.6
Training records Clause 7.2
Audit reports Clause 9.2

Demonstrating Accountability

GDPR Art. 5(2) Requirement Evidence from ISO 27701
Demonstrate compliance PIMS documentation
Data protection policies Privacy policy suite
Records of processing PII inventory
Technical measures Control implementation evidence
Organizational measures Roles, procedures, training
DPO appointment If required, documented role

Regulatory Recognition

Supervisory Authority Perspectives

While ISO 27701 certification is not legally required, supervisory authorities generally view it favorably:

Consideration Regulatory View
Evidence of commitment Positive indicator of privacy investment
Systematic approach Demonstrates organized privacy management
Third-party validation External verification adds credibility
Not compliance proof Does not substitute for legal analysis
Factor in enforcement May influence penalty considerations

Using Certification in Practice

Context How ISO 27701 Helps
Supervisory authority inquiry Evidence of systematic approach
Customer due diligence Third-party validated privacy practices
Vendor assessments Demonstrates processor reliability
Breach response Evidence of pre-existing measures
Contract negotiations Objective privacy standard reference

Common Questions

Does ISO 27701 certification guarantee GDPR compliance?

No. Certification demonstrates you have a systematic privacy management system, but GDPR compliance involves legal interpretations, specific factual circumstances, and ongoing operational compliance that certification cannot verify.

Can ISO 27701 replace a GDPR compliance assessment?

No. ISO 27701 provides framework and controls, but legal analysis of your specific processing activities, legal bases, and regulatory obligations still requires legal expertise and judgment.

How do auditors assess GDPR alignment?

ISO 27701 auditors assess whether you've implemented the standard's controls. They do not assess GDPR legal compliance directly, though their assessment covers many areas that support compliance.

What if GDPR requirements change?

GDPR is law that can be interpreted and enforced differently over time. ISO 27701 provides a framework; you must stay current with GDPR interpretations and update your practices accordingly.

How Bastion Helps

Aligning ISO 27701 implementation with GDPR requirements maximizes the value of your certification investment. We help organizations build integrated compliance programs.

Service Description
GDPR gap analysis Identify GDPR requirements and current gaps
Integrated implementation Implement ISO 27701 with GDPR alignment
Documentation Create documentation serving both certification and compliance
Ongoing support Maintain alignment as regulations evolve
Legal coordination Work with your legal counsel on compliance questions

Ready to align ISO 27701 certification with GDPR compliance? Talk to our team

Sources

← PreviousISO 27701 PII Processor RequirementsNext →ISO 27701 Certification Process
Back to ISO 27701 guides