What does Clause 10 require?
Clause 10 closes the PDCA loop by requiring your organisation to continually improve the Privacy Information Management System (PIMS) and to deal effectively with nonconformities when they occur. It has two sub-clauses: one for continual improvement and one for the nonconformity and corrective action process.
Corrective actions may require revisiting the Annex A controls and updating the Statement of Applicability.
10.1 Continual improvement
The organisation shall continually improve the suitability, adequacy and effectiveness of the PIMS.
Continual improvement is a fundamental principle of all ISO management system standards. For a PIMS, this means systematically identifying and implementing opportunities to enhance privacy protection. Sources of improvement opportunities include:
- Results from monitoring and measurement (Clause 9.1)
- Internal audit findings (Clause 9.2)
- Management review decisions (Clause 9.3)
- Changes in privacy risks, regulations or technology
- Feedback from PII principals, customers and other interested parties
- Lessons learned from privacy incidents
- Industry best practices and benchmarking
Improvement does not always mean major changes. Small, incremental enhancements to processes, controls and documentation over time can significantly strengthen your privacy posture.
10.2 Nonconformity and corrective action
When a nonconformity occurs, the organisation shall:
- React to the nonconformity — Take action to control and correct it, and deal with the consequences
- Evaluate the need for action — Determine whether action is needed to eliminate the cause so it does not recur or occur elsewhere, by reviewing the nonconformity, determining the causes, and determining if similar nonconformities exist or could potentially occur
- Implement any action needed — Put corrective actions in place to address root causes
- Review effectiveness — Check that the corrective actions taken were effective in preventing recurrence
- Make changes to the PIMS — If necessary, update the management system to reflect lessons learned
Corrective actions must be appropriate to the effects of the nonconformities encountered. A minor procedural gap does not require the same level of response as a significant privacy breach.
Free yourself from a mountain of spreadsheets
Embed, expand and scale your compliance, without the mess. IO gives you the resilience and confidence to grow securely.
Documented information requirements
The organisation must retain documented information as evidence of:
- The nature of the nonconformities and any subsequent actions taken
- The results of any corrective action
This means maintaining clear records that demonstrate you have a systematic process for dealing with problems, not just fixing the immediate issue but understanding why it happened and preventing it from happening again.
How does this relate to GDPR?
- Article 33 — Notification of a personal data breach to the supervisory authority. Privacy incidents that constitute nonconformities may also require breach notification
- Article 34 — Communication of a personal data breach to the data subject, which may be a corrective action arising from incident investigation
- Article 5(2) — The accountability principle, supported by documented evidence of corrective actions and improvement
- Article 24 — Controller responsibility to review and update measures where necessary, aligning with continual improvement
For the complete mapping, see the GDPR compliance guide.
What changed from ISO 27701:2019?
- Self-contained requirements — In 2019, Clause 5.8 supplemented ISO 27001 Clause 10. Now the improvement requirements are complete and standalone
- Privacy-specific focus — The nonconformity and corrective action process now explicitly operates within the PIMS context rather than extending an ISMS process
- Clearer structure — The five-step corrective action process (react, evaluate, implement, review, change) is more clearly articulated
For a broader overview, see what’s new in ISO 27701:2025.
See the Annex F correspondence table for the full mapping.
What evidence do auditors expect?
- Nonconformity register — A log of all nonconformities identified, from any source (audits, incidents, complaints, monitoring)
- Root cause analysis — Evidence that causes were investigated, not just symptoms addressed
- Corrective action records — Documented actions taken, with assigned owners, deadlines and completion evidence
- Effectiveness reviews — Evidence that corrective actions were followed up to verify they worked
- PIMS changes — Records of changes made to the management system as a result of lessons learned
- Improvement evidence — Demonstrable improvements over time, such as declining incident rates, faster response times or improved audit results
Incident-driven improvements connect to A.3.11 Incident Management in the shared controls.
Related clauses
| Clause | Relationship |
|---|---|
| Clause 6: Planning | Corrective actions may lead to updates to the risk assessment or treatment plan |
| Clause 8: Operation | Operational nonconformities are a primary source of corrective action inputs |
| Clause 9: Performance Evaluation | Audit findings and management review outputs drive both corrective actions and improvements |
See also Clause 4 (Context), Clause 5 (Leadership) and Clause 7 (Support).
Get started easily with a personal product demo
One of our onboarding specialists will walk you through our platform to help you get started with confidence.
Why choose ISMS.online for Clause 10 compliance?
ISMS.online provides the tools to drive continual improvement in your PIMS:
- Nonconformity management — Log, categorise and track nonconformities from any source with root cause analysis templates
- Corrective action workflows — Assign actions to owners with deadlines, track progress and schedule effectiveness reviews
- Trend analysis — Visualise nonconformity and incident trends over time to identify systemic issues
- Improvement register — Capture and prioritise improvement opportunities from all sources with implementation tracking
- Audit integration — Automatically link audit findings to corrective actions and track through to closure and verification
FAQs
What is the difference between a nonconformity and an observation?
A nonconformity is a failure to meet a requirement of the standard, a legal obligation or the organisation’s own PIMS requirements. It requires corrective action. An observation (sometimes called an “opportunity for improvement”) is a finding that does not constitute a failure but highlights an area where the PIMS could be strengthened. Observations do not require formal corrective action but should be considered as improvement inputs.
How do you demonstrate continual improvement to auditors?
Through objective evidence that the PIMS is getting better over time. This can include declining nonconformity rates, improved privacy metrics, faster incident response times, more mature risk management processes, enhanced controls, updated policies reflecting lessons learned, and completed improvement initiatives. Auditors are looking for a systematic approach, not perfection.
Must every nonconformity result in a corrective action?
Every nonconformity must be reacted to (controlled and corrected), but the standard says the organisation should “evaluate the need” for action to eliminate the cause. In practice, most nonconformities warrant corrective action, but there may be cases where the immediate correction is sufficient and the likelihood of recurrence is negligible. The evaluation must be documented either way.
