Operating globally with ISO 27701 data protection orientation

May 06, 2021 Audit

Operating globally with ISO 27701 data protection orientation

The Corona pandemic has driven the digitization of processes in the exchange of data between companies and customers forward in many sectors. Personal data is processed across national borders, in particular through web-based applications and forms. To protect those affected from any harm, companies must store and process information in a way that cannot be accessed by unauthorized third parties.

Possible solutions for the protection of personal data

  • Implementation of an appropriate Privacy Information Management System (PIMS)
  • Data protection training for employees
  • Logging of accesses and changes
  • Encryption, e.g., of special categories of personal data (e.g., health data)

Opportunities and risks of a digital world

Digital transformation brings many advantages for customers and companies, as information can be exchanged quickly and easily anywhere in the world at any time.
International studies show that only a few users feel the internet is safe when it comes to their personal data.
This is justified when recalling incidents in the recent past where personal information including credit card data fell into criminal hands due to data breaches. Companies processing data must address this issue and ensure risks are kept to a minimum if users are to trust them and their web-based applications. Threats can be reduced by implementing and regularly monitoring internal company measures.

Risk assessment from the perspective of the data subject

An extension of the ISO 27001 standard, ISO 27701 considers a certain proportion of the GDPR requirements and is thus an important step in the direction of data protection. However, it does not replace a GDPR audit. The standard requires that risks be considered from the perspective of the data subjects whose data is stored and processed. Because personal data is classified by the standard setter as a particular risk, there are extensive requirements and measures for the PIMS within a company.

Transnational protection by maximum principle

Companies that process personal data across countries should review their Privacy Information Management System and ensure compliance with all individual national regulations. This can become a time-consuming and complex process, as specific regulations for handling personal data may differ in countries outside of the European Union. It is therefore advisable that those organizations operating internationally effectively define information security control loops within their management system accounting for the unique regulations of all countries in which personal data is processed. In keeping with the maximum principle, applicable regulations are checked and summarized to form the basis upon which to define the maximum PIMS requirements needed for all relevant country compliance.
Certification in accordance with ISO 27701 provides a good foundation for the examination and verification of correct PIMS implementation. The focus here is on checking the effectiveness of existing control loops and adapting them as the situation requires, depending on the risk assessment from the viewpoint of the person affected. ISO 27701 certification of your PIMS can thereby help you maintain appropriate data protection and avoid costly international penalties.


As a neutral and accomplished partner, we check the correct implementation of your data protection management system in accordance with ISO 27701 while taking country-specific security standards into account. You can rely on our many years of experience in the certification of management systems. Our worldwide network of experts will be happy to support you.