ISO/IEC 27701 and GDPR: How do they relate?

If your organization processes personal data and operates in — or sells to — the European market, you are almost certainly familiar with the GDPR. You may also have encountered ISO/IEC 27701, the international standard for Privacy Information Management Systems. And you have probably wondered: are these two things related? Do they overlap? Does implementing one help with the other?

The short answer is yes — they are closely related, but they are not the same thing. Understanding the distinction, and the connection, is essential for any privacy professional or auditor working in this space.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a legal regulation enacted by the European Union, applicable since May 2018. It sets binding obligations on how organizations must collect, store, process, and protect the personal data of individuals in the EU and European Economic Area. Non-compliance carries significant penalties — up to 4% of global annual turnover or €20 million, whichever is higher.

The GDPR is a law. It tells you what you must do — but it largely leaves it to you to figure out how.

What is ISO/IEC 27701?

ISO/IEC 27701 is an international standard published by ISO that specifies requirements and provides guidance for establishing, implementing, maintaining, and improving a Privacy Information Management System (PIMS). It was first published in 2019 and updated in October 2025.

ISO/IEC 27701 used to be an extension for privacy of ISO/IEC 27001 — the widely adopted information security management standard. This changed with the 2025 edition which can also be implemented as a standalone standard, without requiring ISO/IEC 27001 certification as a prerequisite.

Unlike the GDPR, ISO/IEC 27701 is a voluntary framework. It tells you how to build a structured, auditable privacy management system — which can then be used as evidence of compliance with legal requirements like the GDPR.

The relationship between ISO/IEC 27701 and GDPR

The relationship is best understood this way: the GDPR defines the destination, and ISO/IEC 27701 provides a structured road to get there.

ISO/IEC 27701 was specifically designed with GDPR alignment in mind. The standard includes a dedicated annex that maps its controls directly to GDPR articles. This mapping shows how implementing specific PIMS controls supports compliance with corresponding GDPR obligations.

For example, GDPR requires that personal data be collected for specified, explicit, and legitimate purposes. ISO/IEC 27701 addresses this through controls that require organizations to identify and document the purpose of personal data processing. GDPR requires that processors act only on documented instructions from controllers — ISO/IEC 27701 has specific controls for exactly this relationship.

In the 2025 edition, this mapping has been revised and expanded to more explicitly illustrate how ISO/IEC 27701 can serve as a certification framework for demonstrating compliance with global privacy regulations — including the GDPR, the UK Data Protection Act 2018, or the California Consumer Privacy Act (CCPA).

What ISO/IEC 27701 covers that supports GDPR compliance

Implementing ISO/IEC 27701 puts in place many of the governance structures and controls that GDPR requires organizations to demonstrate. These include:

• Privacy governance and accountability. The standard requires top management commitment to privacy, defined roles and responsibilities, and documented privacy objectives — directly supporting GDPR's accountability principle.
• Data subject rights. ISO/IEC 27701 includes controls for supporting individuals' rights to access, rectify, erase, and restrict processing of their personal data — all core GDPR requirements.
• Controller and processor obligations. The standard distinguishes between PII controllers and PII processors — mirroring the GDPR distinction — and provides specific controls for each role.
• Privacy by design and by default. Controls require organizations to embed privacy considerations into processes and systems from the outset, aligning with GDPR.
• Risk management and privacy impact assessments. The standard requires a risk-based approach to privacy, including privacy impact assessments — directly supporting the GDPR requirement for Data Protection Impact Assessments (DPIAs).
• Third-party management. Controls address how organizations manage their relationships with data processors and sub-processors, supporting GDPR Article 28 requirements.

An important distinction: certification is not the same as legal compliance

This is a critical point that is frequently misunderstood: ISO/IEC 27701 certification does not guarantee GDPR compliance, and it does not replace the legal obligations imposed by the regulation.

The GDPR has specific legal requirements — data breach notification timelines, data subject rights procedures, cross-border transfer mechanisms — that go beyond what any management system standard can certify. Organizations must still address these legal obligations directly, typically with input from legal counsel or a qualified Data Protection Officer.

What ISO/IEC 27701 certification does provide is structured, auditable evidence that your organization has implemented systematic privacy governance. For regulators, clients, and business partners, this is increasingly valuable — it demonstrates that privacy is embedded into operations, not just documented in a policy.

Why privacy professionals need to understand both

For professionals working in privacy, data protection, or information security, understanding the interplay between ISO/IEC 27701 and the GDPR is a core competency. Organizations are no longer satisfied with vague assurances about privacy — they want auditable evidence, structured frameworks, and certified competence.

Whether you work as a Data Protection Officer, a privacy consultant, an internal auditor, or a compliance manager, being able to navigate both the legal landscape of GDPR and the technical framework of ISO/IEC 27701 puts you in a significantly stronger professional position.

Certifying your knowledge of ISO/IEC 27701 — as a Practitioner or as an Auditor — is one concrete way to demonstrate this competence to employers and clients.

Frequently asked questions

Does ISO/IEC 27701 replace the need to comply with GDPR?

No. ISO/IEC 27701 is a voluntary management system standard. The GDPR is a binding legal regulation. Implementing ISO/IEC 27701 supports GDPR compliance by providing a structured framework, but it does not substitute for the legal obligations that the regulation imposes.

Does ISO/IEC 27701:2025 still require ISO/IEC 27001 certification?

With the 2025 edition, ISO/IEC 27701 can now be implemented and certified as a standalone standard, without ISO/IEC 27001 certification as a prerequisite. Organizations that already hold ISO/IEC 27001 can still integrate both standards and benefit from the alignment between them.

Does ISO/IEC 27701 apply only to European organizations?

No. ISO/IEC 27701 is an international standard applicable to any organization that processes personal data, regardless of location. 

Is there a personal certification for ISO/IEC 27701?

Yes. Professionals can certify their knowledge of ISO/IEC 27701 as a PIMS Practitioner — demonstrating competence in implementing a privacy information management system — or as a PIMS Auditor — demonstrating competence in auditing a PIMS for conformity with the standard. Both certifications are available online at RIGCERT Education.

Prove your knowledge of ISO/IEC 27701

Understanding the relationship between ISO/IEC 27701 and GDPR is key for privacy professionals. If you want to formalize and demonstrate that understanding, RIGCERT offers online certification for both ISO/IEC 27701 Practitioners and Auditors — study at your own pace, take the exam online, receive your certificate.

Explore our 

PIMS Practitioner certification and  PIMS Auditor certification