In today’s digital world, trust is everything as organisations handle vast amounts of personal data. While legal compliance remains essential, robust cybersecurity measures are equally important. Information security and privacy, once viewed as separate issues, are now converging due to stricter laws such as GDPR, and due to an increase in data breaches.
Additionally, the EU is introducing new regulatory frameworks such as NIS2 and DORA, which add another compliance dimension to cybersecurity. Many organisations that previously saw cybersecurity as an IT-only task must now address it from a regulatory perspective. In contrast, privacy and regulatory compliance have long been intertwined due to GDPR and other data protection laws. This shift highlights the growing need for organisations to integrate privacy and security practices.
To illustrate this convergence, data breaches increasingly expose personally identifiable information (PII), with a sharp rise in attacks exploiting vulnerabilities as entry points. According to the Verizon 2024 Data Breach Investigations Report, such incidents have nearly tripled over the past year, driven by zero-day threats like MOVEit and frequently leveraged by ransomware and extortion actors. This shift highlights that information security is not just about defense but also about ensuring compliance with privacy regulations. As these fields converge, a key question arises: Are privacy and security professionals still working in silos?
While privacy professionals focus on compliance, contemporary data protection laws increasingly require technical and organisational solutions. Regulations such as GDPR demand "appropriate security" but leave the specifics up to the organisations.
ISO 27701 offers a standardised approach to address privacy risks within an information security framework. It extends ISO 27001, which emphasises confidentiality, integrity, and availability (CIA), by incorporating privacy-specific principles such as:
• Data minimisation
• Purpose limitation
• Lawful data processing
For privacy professionals, understanding how these security principles support privacy objectives is crucial for risk management, compliance, and maintaining trust.
With rising scrutiny on data protection practices, businesses are under pressure to demonstrate transparency and accountability. ISO 27701 certification provides a globally recognised benchmark for strong privacy practices.
For companies already ISO 27001 certified, ISO 27701 is a natural extension. It is particularly crucial
for sectors handling sensitive data, including:
• Healthcare (e.g., patient records and medical data)
• Finance (e.g., banking transactions and customer PII)
• Technology (e.g., cloud services and digital platforms)
Before pursuing certification, organisations should define their objectives - whether to meet legal obligations or achieve full compliance - to ensure a streamlined process.
Implementing ISO 27701 comes with challenges, including:
1. Aligning Security and Privacy Mindsets
a. Security teams prioritise risk reduction, while privacy teams focus on compliance, requiring cross-functional cooperation.
2. Resource Allocation
a. Implementing a Privacy Information Management System (PIMS) requires investments in technology, processes, and talent, which are often underestimated.
b. This is typically a management issue, as privacy and security initiatives are sometimes viewed as costs rather than business enablers.
3. Cross-Border Data Transfers
a. ISO 27701 provides a framework for managing personal data across borders.
b. However, aligning with different laws (e.g., China’s PIPL vs. EU’s GDPR) can be complex.
4. Scope and Controls
a. Businesses must decide whether to implement ISO 27701 across all operations or just in departments handling personal data.
Strong leadership and a structured approach are key to overcoming the above challenges and ensuring ongoing compliance.
To successfully integrate ISO 27701, organisations should:
1. Educate Security and Privacy Teams Together
a. Break down silos by holding joint training sessions to foster collaboration.
2. Evaluate Current Procedures
a. For organisations already ISO 27001 certified, assess how many existing security practices align with ISO 27701.
3. Get Leadership Support
a. Ensure senior management treats security and privacy as strategic priorities.
b. How to achieve this?
i. Align security and privacy requirements with existing business strategies.
ii. Improve reporting on information security and privacy risks/benefits at the executive level.
4. Adopt a Risk-Based Strategy
a. Tailor ISO 27701 controls based on risk assessments and operational needs.
5. Leverage Technology
a. Automate compliance tasks to streamline implementation and reduce errors.
6. Monitor and Improve Continuously
a. Compliance is an ongoing effort, requiring regular audits and updates to address evolving threats and regulations.
As cyber threats become more sophisticated and regulations tighten, privacy professionals must embrace information security. The future of data protection will be defined by organisations that can integrate privacy and security effectively.
By adopting frameworks like ISO 27701, companies will not only comply with regulations but also lead in building sustainable, trustworthy privacy strategies.
The convergence of privacy and security is not just a trend - it is the future of responsible corporate practices.
• ISO/IEC 27001:2022 – Information Security Management Systems
• ISO/IEC 27701:2019 – Privacy Information Management Systems
• General Data Protection Regulation (GDPR)
• China’s Personal Information Protection Law (PIPL)
• Directive (EU) 2022/2555 (NIS2 Directive)
• Regulation (EU) 2022/2554 (DORA)
• Verizon 2024 Data Breach Investigations Report
This article was written by:
Victoria Maria Cura Rodriguez, Consultant, Digital Risk, KPMG
John Clayton, Senior Manager, Digital Risk, KPMG
Sign up for a regular dose of news and updates from the legal landscape.
.png)
Get the latest updates about legal and privacy from experts in the field.
.png)
