ISO 27701:2019 · Annex D
ISO 27701 &
the GDPR
ISO 27701 was designed to align with the GDPR. Its Annex D maps each control to specific articles, so a Privacy Information Management System gives you much of the accountability evidence the regulation expects — without a bespoke audit each time.
Certification is evidence of alignment, not a legal ruling that you are GDPR compliant.
ISO/IEC 27701:2019 Annex D · EU GDPR · Last reviewed June 2026
Direct Answer
How the mapping works
Annex D of ISO 27701 sets out a clause-by-clause correspondence between the standard’s requirements and the articles of the GDPR. Where the regulation states an obligation, the annex points to the PIMS control that operationalises it — so the work you do to satisfy ISO 27701 is the same work that evidences GDPR accountability. It does not replace legal advice, but it gives you a certified, repeatable system rather than a one-off compliance exercise.
What it supports
GDPR obligations a PIMS supports
Lawful basis & consent
PIMS controls require you to identify and document a lawful basis for each processing activity and to manage consent — directly supporting GDPR Articles 6 and 7.
Data subject rights
Controls for access, correction, erasure, and objection give you a repeatable way to handle the PII principal rights set out in GDPR Articles 12–22.
Records of processing
A PIMS maintains records of processing activities — the Article 30 documentation regulators ask for first in an enquiry.
Privacy by design & default
Data minimisation, purpose limitation, retention, and secure disposal controls operationalise GDPR Article 25.
Breach response
The underlying ISO 27001 incident process, extended for privacy, supports the breach-notification duties in GDPR Articles 33 and 34.
International transfers
Controls for the basis, recording, and disclosure of cross-border PII transfers map to the Chapter V transfer requirements.
Certification ≠ a legal compliance ruling
ISO 27701 certification is third-party assurance that your privacy management system aligns with the GDPR. It is powerful evidence of accountability, but only a supervisory authority or court can make a binding determination of GDPR compliance. Treat the certificate as the operational backbone of your compliance — not a substitute for legal review.
Frequently Asked Questions
Common questions about ISO 27701 and the GDPR.
Does ISO 27701 cover the GDPR?
ISO 27701 was written to align with the GDPR. Annex D of the standard provides a clause-by-clause mapping between its controls and specific GDPR articles, so implementing a PIMS produces much of the operational evidence the regulation expects.
Is ISO 27701 certification the same as being GDPR compliant?
No. GDPR compliance is a legal status that only a supervisory authority or court can ultimately determine. ISO 27701 certification is independent assurance that you operate a privacy management system aligned with the regulation — strong evidence of accountability, but not a legal ruling.
We already process EU data. Why add ISO 27701?
A certificate gives customers and regulators third-party assurance without a bespoke audit each time. It turns "we follow the GDPR" into something an external body has verified, which shortens vendor security reviews and supports Article 5(2) accountability.
Does ISO 27701 also help with India’s DPDP Act?
Yes. Although Annex D maps to the GDPR, the same PIMS controls — lawful processing, principal rights, records, and breach handling — map closely to the duties in India’s DPDP Act, so one programme supports both regimes.
Continue your ISO 27701 research
- The ISO 27701 PIMS framework — structure, clauses, and how it extends ISO 27001.
- India’s DPDP Act — how the same PIMS controls support Indian data-protection duties.
- ISO 27701 hub — PIMS overview, controls, and certification in one place.
Written By Expert Auditors
Keep Exploring
Related Reading
ISO 27701 (PIMS)
The privacy extension to ISO 27001 — one audit, two certificates.
Read moreGDPR Compliance
The EU's data protection regulation for any company with EU users.
Read moreController Controls (Annex A)
PII controller-specific controls mapped to GDPR obligations.
Read moreProcessor Controls (Annex B)
PII processor-specific controls for data processing agreements.
Read moreDPDP vs GDPR
Side-by-side comparison for companies subject to both regimes.
Read morePDPL vs GDPR
Key differences between the Saudi/UAE PDPL and EU GDPR.
Read moreGet in touch
Book a free consultation or send us your requirements. We respond within 24 hours.
Quick Call
Pick a time slot
Send Requirements
Get a custom quote in 24 hours