Why does ISO 27701:2025 support GDPR compliance?
The General Data Protection Regulation requires organisations to implement appropriate technical and organisational measures to protect personal data, but it does not prescribe exactly how. ISO 27701:2025 fills that gap by providing a systematic, auditable framework for managing personally identifiable information (PII) that aligns with GDPR’s principles and requirements.
The 2025 edition strengthens this alignment significantly. Annex D provides an explicit mapping between ISO 27701 controls and specific GDPR articles, giving organisations an official reference for how their privacy information management system (PIMS) supports each regulatory obligation. This is not a guarantee of compliance, but it is strong, demonstrable evidence of a systematic approach to data protection.
ISO 27701 certification supports GDPR compliance in several ways:
- Accountability (Article 5(2)) — Certification demonstrates that your organisation has implemented a structured privacy management system, not just written policies
- Data protection by design and default (Article 25) — The control framework ensures privacy is embedded into processing activities from the outset
- Processor compliance (Article 28) — Processors can use ISO 27701 certification to provide sufficient guarantees to controllers
- International transfers (Article 46) — Certification can serve as an appropriate safeguard for cross-border data transfers
How do GDPR Article 5 principles map to ISO 27701 controls?
GDPR Article 5 sets out the core data protection principles. Every one of them is addressed by ISO 27701:2025 controls:
| GDPR Principle (Article 5) | ISO 27701:2025 Controls | How they align |
|---|---|---|
| Lawfulness, fairness and transparency | A.1.2.3 Identify Lawful Basis, A.1.3.2 Obligations to PII Principals, A.1.3.3 Information for PII Principals, A.1.3.4 Providing Information | Require lawful basis documentation, transparency obligations and clear information provision to data subjects |
| Purpose limitation | A.1.2.2 Identify and Document Purpose, A.2.2.3 Organisation Purposes | Mandate documentation of processing purposes and prevent processing beyond those stated purposes |
| Data minimisation | A.1.4.2 Limit Collection, A.1.4.3 Limit Processing, A.1.4.5 PII Minimisation | Limit PII collection and processing to what is adequate, relevant and necessary |
| Accuracy | A.1.4.4 Accuracy and Quality | Requires measures to ensure PII remains accurate and up to date |
| Storage limitation | A.1.4.8 Retention, A.1.4.9 Disposal | Address temporary file management and establish retention and disposal requirements |
| Integrity and confidentiality | A.3.x shared controls | 29 security controls covering access control, cryptography, physical security, operations security and more |
| Accountability | A.1.2.9 Records of Processing PII, A.2.2.7 Records of Processing PII | Require comprehensive records of PII processing activities for both controllers and processors |
How do controller obligations map to Annex A.1?
GDPR Articles 24 and 25 place specific obligations on data controllers, including implementing appropriate measures, maintaining records and ensuring data protection by design. Annex A.1 contains 31 controls that map directly to these obligations:
- Conditions for processing (A.1.2.x) — Eight controls covering purpose documentation, lawful basis, consent management, privacy impact assessments, processor contracts, joint controller arrangements and processing records. These support Articles 6, 7, 24, 25, 26 and 30
- Obligations to PII principals (A.1.3.x) — Ten controls addressing data subject rights including information provision, consent withdrawal, objection, access, correction, erasure, portability and automated decision making. These map to Articles 12 through 22
- Privacy by design (A.1.4.x) — Nine controls covering collection limitation, processing limitation, accuracy, minimisation, de-identification, temporary files, retention and transmission. These support Articles 5 and 25
- International transfers (A.1.5.x) — Four controls addressing the identification of transfer jurisdictions, documentation of transfer bases and recording of transfers. These map to Articles 44 through 49
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
How do processor obligations map to Annex A.2?
GDPR Article 28 sets out detailed requirements for data processors. Annex A.2 provides 18 controls that directly support processors in meeting these requirements:
- Processing conditions (A.2.2.x) — Six controls covering customer agreements, processing purposes, marketing restrictions, infringing instructions, customer obligations and processing records. These directly address Article 28(3) requirements for processor contracts
- PII principal obligations (A.2.3.2 Obligations to PII Principals) — One control requiring processors to support controllers in responding to data subject requests, aligning with Article 28(3)(e)
- Privacy by design (A.2.4.x) — Three controls addressing temporary files, return/transfer/disposal of PII and PII transmission controls
- International transfers (A.2.5.x) — Eight controls covering transfer basis, country documentation, disclosure records, notification of disclosure requests, legally binding disclosures, subcontractor disclosure, subcontractor engagement and subcontractor changes
For processors, ISO 27701:2025 certification provides powerful evidence of compliance with Article 28. Controllers can reference the processor’s certification as evidence that sufficient guarantees are in place, streamlining due diligence and contract negotiations.
Using certification in processor agreements
In practice, ISO 27701 certification can be referenced directly in data processing agreements (DPAs) as evidence of sufficient guarantees under Article 28(1). This benefits both parties:
- For processors — Certification reduces the need to complete bespoke security questionnaires for every customer. A single, independently audited certificate covers the key requirements
- For controllers — Certification provides assurance that the processor’s privacy practices have been verified by an accredited third party, reducing due diligence effort
- For sub-processors — The A.2.5.x transfer controls and A.2.2.2 Customer Agreement (customer agreement) ensure the processor has documented controls over its own supply chain
How does ISO 27701 support data subject rights under Articles 15 to 22?
One of the most operationally demanding aspects of GDPR is fulfilling data subject rights. ISO 27701:2025 provides a structured approach through the A.1.3.x controller controls:
| GDPR Right | Article | ISO 27701 Control |
|---|---|---|
| Right to be informed | Articles 13 and 14 | A.1.3.3 Information for PII Principals, A.1.3.4 Providing Information |
| Right of access | Article 15 | A.1.3.7 Access, Correction or Erasure, A.1.3.9 Providing Copy of PII |
| Right to rectification | Article 16 | A.1.3.7 Access, Correction or Erasure |
| Right to erasure | Article 17 | A.1.3.7 Access, Correction or Erasure |
| Right to restrict processing | Article 18 | A.1.3.7 Access, Correction or Erasure |
| Notification obligation | Article 19 | A.1.3.8 Inform Third Parties |
| Right to data portability | Article 20 | A.1.3.9 Providing Copy of PII |
| Right to object | Article 21 | A.1.3.6 Object to PII Processing |
| Automated decision making | Article 22 | A.1.3.11 Automated Decision Making |
Control A.1.3.10 Handling Requests (Handling requests) provides the operational framework for managing all data subject requests, including response timelines, verification procedures and escalation paths. This control underpins the practical delivery of all the rights listed above.
How do ISO 27701 controls address international data transfers?
GDPR Articles 44 to 49 impose strict requirements on transferring personal data outside the European Economic Area. ISO 27701:2025 addresses this through dedicated transfer controls in both the controller (A.1.5.x) and processor (A.2.5.x) tables:
- A.1.5.2 Basis for PII Transfer and A.2.5.2 Basis for PII Transfer — Identify the countries and international organisations to which PII may be transferred
- A.1.5.3 Countries for PII Transfer and A.2.5.3 Countries for PII Transfer — Document the legal basis for each transfer (adequacy decision, standard contractual clauses, binding corporate rules, etc.)
- A.1.5.4 Records of PII Transfer and A.2.5.4 Records of PII Disclosures — Maintain records of PII transfers for accountability purposes
- A.2.5.5 PII Disclosure Requests — Processor-specific control for notifying controllers of authorised country changes
- A.2.5.7 Disclosure of Subcontractors and A.2.5.8 Engaging Subcontractors — Controls for managing sub-processor transfers and responding to government access requests
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
How does ISO 27701 support breach notification under Articles 33 and 34?
GDPR requires organisations to notify supervisory authorities of personal data breaches within 72 hours (Article 33) and, in high-risk cases, notify affected individuals without undue delay (Article 34). ISO 27701:2025 supports these requirements through the shared security controls:
- A.3.11 Incident Management (Information security incident management planning and preparation) — Requires organisations to establish incident management procedures that include privacy breach identification, classification and escalation
- A.3.12 Security Incident Response (Reporting information security events) — Establishes reporting channels and responsibilities for security events that may involve PII, ensuring breaches are detected and reported within the required timeframe
The combination of these controls with the broader PIMS framework ensures organisations have the processes, documentation and evidence trail needed to meet GDPR’s notification requirements.
How does ISO 27701 address data protection impact assessments?
GDPR Article 35 requires data protection impact assessments (DPIAs) for processing activities that are likely to result in high risk to individuals. ISO 27701:2025 Control A.1.2.6 Privacy Impact Assessment (Privacy impact assessment) requires organisations to conduct privacy impact assessments whenever new processing activities are introduced or existing ones are significantly changed.
The control requires organisations to assess the necessity and proportionality of the processing, evaluate risks to PII principals, identify measures to mitigate those risks, and document the assessment and its outcomes. This aligns directly with the DPIA requirements of Article 35, and the Annex B guidance provides a practical framework for conducting these assessments systematically.
By embedding privacy impact assessments into the PIMS, organisations ensure they are conducted consistently across all processing activities rather than on an ad hoc basis. This is a significant advantage over standalone DPIA processes that can be inconsistently applied or overlooked entirely.
Using ISO 27701 to demonstrate GDPR accountability
GDPR Article 5(2) requires controllers to demonstrate compliance with all data protection principles. This “accountability principle” is one of the most demanding aspects of GDPR because it shifts the burden of proof to the organisation. Simply complying is not enough; you must be able to prove it.
ISO 27701:2025 certification is one of the strongest forms of accountability evidence available because:
- Independent verification — An accredited certification body audits your PIMS against the standard’s requirements, providing third-party assurance that your privacy management is systematic and effective
- Continuous compliance — The management system approach requires ongoing monitoring, internal audits and management reviews, not just a one-time compliance exercise
- Documented evidence — The PIMS generates a comprehensive audit trail of policies, procedures, risk assessments, processing records and corrective actions
- Regulatory recognition — While not a formal GDPR certification under Article 42, ISO 27701 is increasingly referenced by supervisory authorities and industry bodies as credible evidence of privacy maturity
In the event of a data protection complaint or regulatory investigation, having ISO 27701 certification demonstrates that your organisation took proactive, structured steps to protect personal data. This can be a significant mitigating factor when supervisory authorities are considering enforcement action.
For organisations operating across multiple jurisdictions, ISO 27701 also provides a consistent baseline. While GDPR is the most comprehensive data protection regulation, similar principles appear in laws worldwide, from Brazil’s LGPD to California’s CCPA. An ISO 27701 certified PIMS addresses the common requirements across these regulations, reducing the effort needed to demonstrate compliance in each jurisdiction.
Why choose ISMS.online for ISO 27701 and GDPR compliance?
ISMS.online is built to help organisations achieve and maintain both ISO 27701 certification and GDPR compliance in a single platform:
- GDPR-mapped control framework — See exactly how your ISO 27701 controls map to each GDPR article, using the Annex D mapping built into the platform
- Data subject request management — Track and respond to access, rectification, erasure and portability requests with built in workflows and audit trails
- Processing activity register — Maintain your Article 30 records of processing activities, linked directly to the controls that protect each processing activity
- Breach management workflow — Log, assess and report data breaches with structured workflows that help you meet the 72 hour notification window
- Transfer impact assessments — Document and assess international data transfers with built in templates aligned to the A.1.5.x and A.2.5.x controls
FAQs
Does ISO 27701 certification prove GDPR compliance?
ISO 27701 certification is not an official GDPR certification mechanism under Article 42, and no single certification can guarantee full GDPR compliance. However, ISO 27701:2025 certification provides strong, independently audited evidence that your organisation has implemented a systematic approach to privacy management that aligns with GDPR principles and requirements. Annex D provides an explicit mapping between controls and GDPR articles, making it straightforward to demonstrate how your PIMS addresses each obligation. Many supervisory authorities and industry bodies recognise ISO 27701 certification as a credible indicator of GDPR compliance maturity.
Which GDPR articles are covered by ISO 27701:2025?
Annex D maps ISO 27701 controls to GDPR articles covering the core data protection principles (Article 5), lawful bases for processing (Article 6), consent (Article 7), special categories (Article 9), transparency and information (Articles 12 to 14), data subject rights (Articles 15 to 22), controller obligations (Articles 24 to 25), processor requirements (Article 28), records of processing (Article 30), security (Article 32), breach notification (Articles 33 to 34), data protection impact assessments (Article 35) and international transfers (Articles 44 to 49). The mapping is comprehensive but organisations should still conduct their own assessment to ensure full coverage of their specific processing activities.
Can processors use ISO 27701 certification for Article 28 compliance?
Yes, this is one of the most practical applications of ISO 27701 certification. GDPR Article 28(1) requires controllers to use only processors that provide “sufficient guarantees” of appropriate technical and organisational measures. A processor holding ISO 27701:2025 certification demonstrates through independent audit that it has implemented a privacy information management system covering all the areas required by Article 28(3), including processing under instruction, confidentiality, security, sub-processor management, data subject rights support, breach notification, deletion and audit rights. This significantly simplifies the due diligence process for controllers evaluating potential processors.
