What It Is

The General Data Protection Regulation (GDPR), or Regulation (EU) 2016/679, is a binding EU regulation directly applicable since May 25, 2018. It protects personal data of EU individuals, applying extraterritorially to any global entity processing such data. GDPR uses a risk-based accountability approach, replacing the fragmented 1995 Directive.

Key Components

• **Seven core principleslawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity/confidentiality, accountability.
• **Data subject rightsaccess, rectification, erasure ("right to be forgotten"), portability, objection.
• Obligations include DPIAs, DPO appointment, 72-hour breach notifications, Records of Processing Activities.
• One-stop-shop enforcement; fines up to €20M or 4% global turnover.

Why Organizations Use It

• Mandatory compliance avoids severe penalties and legal risks.
• Builds stakeholder trust, enhances reputation as privacy leader.
• Manages data risks amid global operations; sets benchmark influencing laws like LGPD, CCPA.

Implementation Overview

• Map processes, appoint DPO, conduct DPIAs, train staff, update contracts.
• Applies universally to controllers/processors handling EU data.
• No formal certification; requires ongoing audits, demonstrations of compliance.

What It Is

ISO/IEC 27701:2025 is the international standard for establishing, implementing, and improving a Privacy Information Management System (PIMS). It extends ISO/IEC 27001's ISMS to address privacy risks in processing personally identifiable information (PII) for controllers and processors. The standard uses a risk-based PDCA cycle for governance and control implementation.

Key Components

• Clauses 4–10: Management system extensions for context, leadership, planning, operation, evaluation, improvement.
• **Annex A37 controls for PII controllers (e.g., lawful basis, DSARs, retention).
• **Annex B24 controls for PII processors (e.g., contracts, sub-processors).
• Mappings to GDPR (Annex D), ISO 27002; certification via accredited audits, 3-year cycle with surveillance.

Why Organizations Use It

• Aligns with GDPR/POPIA/LGPD for compliance evidence.
• Manages privacy risks, reduces fines/breaches.
• Builds trust in supply chains/procurement.
• Enables competitive differentiation via certification.

Implementation Overview

Phased: gap analysis, risk assessment, controls, audits. Suits all PII-processing orgs; 6–12 months typical with ISMS. Requires leadership, RoPA, training, internal audits.