Are you complying with the ISO 27701 privacy information management system?

In today’s ever-evolving digital environment, more and more consumers entrust their personal data to corporations resulting in the escalation of threats like cybercrime and information theft. According to Check Point Research (CPR), there are 40% more cyberattacks weekly on organizations in 2021 than in 2020. And the cost is staggering. Cybersecurity Ventures predicts global cybercrime costs will grow by 15% per year over the next five years, reaching USD 10.5 trillion annually by 2025, up from USD 3 trillion in 2015. Further, data breach costs rose from USD 3.86 million to USD 4.24 million, the highest average total cost in the 17-year history of IBM’s data breach report.


To prevent data from falling into the wrong hands, companies must comply with data privacy regulations to safeguard sensitive information and data collection from customers. However, the cybersecurity standards put into law 20 years ago are no longer sufficient to protect the information of businesses and customers that interact online. With a more extensive database, the consequences of a breach for parties at both ends are certainly graver.

ISO 27701 Privacy Information Management System

Many countries have already implemented stringent laws and regulations that strengthen data security. In fact, several have passed legislation that regulates how organizations can collect data from their customers and sets certain privacy standards to safeguard that data. One regulation that has become integral in the European Union (EU) is the General Data Protection Regulation (GDPR).

Taking effect on May 25, 2018, the GDPR is the toughest data compliance regulation globally, designed to protect customer data in the new digital environment. A set of rules that focuses on enhancing privacy protection for EU citizens, the GDPR regulates how organizations can collect data and imposes limits on what these organizations can do with this data. It also addresses the transfer of personal data outside the EU and the European Economic Area (EEA).

Advancing the Privacy Imperative

Other countries have also introduced privacy regulations since the rollout of the GDPR and update these regulations occasionally to ensure the security of customers’ personal information. The latest update in the international standard for privacy and information management is the ISO 27701 Privacy Information Management System, or  ISO 27701, an extension of ISO 27001. Whereas the ISO 27001 standard focuses on creating and maintaining an Information Security Management System (ISMS), ISO 27701 expands on the existing ISO 27001, broadening the ISMS to include a Privacy Information Management System (PIMS). It provides guidance for organizations looking to implement systems to support compliance with GDPR and other data privacy requirements.

Since the specific personal data protection controls of ISO 27701 are very much based on GDPR requirements and principles, as well as standards from countries around the world. To date, fewer than 65 companies have achieved these strict, global standards and have satisfied the in-depth audit across all countries and operations.

The Silver Bullet for GDPR Compliance

The UK Data Protection Act (DPA) 2018 and UK General Data Protection Regulation (GDPR), as well as the EU GDPR (following Brexit, there are now two GDPRs: the EU GDPR and the UK GDPR), require organizations to take measures to ensure the privacy of any personal data that they process. However, none of these laws provides specific guidance on what measures should be taken to ensure compliance with their requirements. Thus, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) developed ISO 27701 in August 2019 to provide the framework for assisting, guiding, and demonstrating compliance with the DPA, GDPR, and similar laws and regulations.

Organizations that implement the ISO 27701 Privacy Information Management System and ISO 27001 can meet the privacy and information security requirements of the GDPR and other data protection regimes. At the same time, they can demonstrate effective data privacy management, in line with the GDPR’s accountability principle. Although data protection certification mechanisms and data protection seals and marks are discussed in Article 42 of the GDPR, no such mechanisms currently exist. So, by achieving independently accredited certification to ISO 27001 — and by extension ISO 27701 — organizations can prove to stakeholders and regulators that they follow best practices in securing personal data and personally identifiable information.

Read our latest white paper to learn more about the privacy imperative and how Teleperformance accelerates accountability and safeguards trust in an increasingly digital world, elevated by our security outsourcing services.