If your organisation decides what personal data to collect, why it is collected, and how it is used, you are a PII controller under ISO 27701. The defining characteristic of a controller is accountability — you made the decisions that created the privacy obligations, so you are accountable to individuals and regulators alike. ISO 27701 Annex B translates that accountability into specific operational controls.
What Makes the Controller Role Distinct
As a controller, you made the fundamental decisions — what data to collect, for what purpose, under which legal basis, with whom to share it. Annex B controls exist because of these decisions. Processor controls (Annex C) do not include legal basis documentation, consent management, or privacy notices — because processors do not make those decisions.
Establishing and Documenting the Legal Basis
Every processing activity in your RoPA must have a documented legal basis drawn from the applicable regulation. Where legitimate interests is used under GDPR, a Legitimate Interests Assessment (LIA) must be documented.
Many organisations complete their RoPA but leave the legal basis column as a formality, defaulting to "legitimate interests" without documentation. Auditors look for the reasoning, not just the label. For legitimate interests processing, the LIA is not optional — it is the evidence.
The Record of Processing Activities — Your Central Privacy Document
The RoPA is the most important single document a controller maintains. It is simultaneously a regulatory requirement, an audit artefact, a data governance tool, and the foundation on which most other privacy controls are built.
| RoPA Field | What to Document |
|---|---|
| Processing Activity | Clear functional description — e.g. "Customer account registration and authentication" |
| Purpose | Specific stated reason. Not vague like "business purposes" |
| Legal Basis | Applicable basis under GDPR / DPDP, with LIA reference where needed |
| Data Subjects | Customers, employees, prospects, website visitors, etc. |
| Categories of PII | Specific types: name, email, IP address, payment details, health data |
| Recipients | Internal teams and external parties, including processors and cross-border transfers |
| Retention Period | How long, or the criteria for determining deletion/anonymisation |
| Security Measures | Reference to technical and organisational controls applied |
| Transfer Mechanism | For cross-border: adequacy, SCCs, BCRs, or other approved mechanism |
Assign a named RoPA owner and define update triggers: new product features, new vendors, changes to processing purposes, regulatory changes. Quarterly reviews are the minimum.
Consent Management — The Full Lifecycle
Where consent is your legal basis, implement mechanisms covering: obtaining valid consent (no pre-ticked boxes, no bundled consent), recording what the user was told, when, how they consented, and which activities the consent covers, and withdrawal as easy as giving consent — tested and documented. For DPDP Act compliance, consent notices must be available in the individual preferred language.
Privacy Notices — Transparency as Operational Obligation
Privacy notices must cover: controller identity and DPO contact, purposes and legal basis for each processing activity, legitimate interests pursued, categories of PII, recipients, international transfers, retention periods, individual rights, and right to lodge a complaint. Maintain version history with effective dates — any change to processing must be reflected in an updated notice.
Data Subject Rights — Building Operational Processes
| Right | Process Must Cover | Audit Evidence |
|---|---|---|
| Access | Intake, ID verification, retrieval across all systems | Request log, response record, data copy |
| Rectification | Verification of inaccuracy, update across all systems | Before/after record, confirmation sent |
| Erasure | Legal basis check, deletion across systems + processors | Deletion confirmation, processor notifications |
| Portability | Export in JSON/CSV, delivery to individual or nominated controller | Export file, delivery confirmation |
| Nomination (DPDP) | Nomination form, ID verification, activation on death/incapacity | Nomination register, process documentation |
GDPR requires response within one calendar month. DPDP timelines will be specified in rules — build for 30 days as the safe default. Every request must be logged with date received, actions taken, and date of response.
Data Minimisation and Purpose Limitation
Every data field collected must have a documented justification. Forms, APIs, and product onboarding flows must be reviewed. Analytics and logging configurations must be audited. Personal data collected for one purpose must not be used for a different purpose without fresh legal basis and, where required, fresh consent.
Retention Schedules and Secure Deletion
Define retention periods at the category level. Each period must be justified by reference to the processing purpose, legal retention obligations (tax records, employment, financial), and minimum time needed. Technical enforcement is expected — automated deletion jobs, data lifecycle policies, or documented manual review with execution evidence. Soft deletes that flag records as inactive are not compliant.
Data Protection Impact Assessments — DPIAs
For high-risk processing activities, a DPIA must be conducted before processing begins. Required scenarios include: systematic profiling, large-scale special category data, systematic monitoring of public areas, and new technologies with novel privacy risks. A DPIA must contain: description of the processing, necessity and proportionality assessment, risk assessment, and mitigation measures. DPIAs must be reviewed when processing changes materially.
Managing Third-Party Processors — The Accountability Chain
Before engaging a processor, conduct privacy due diligence — review certifications, sub-processor notification processes, breach notification procedures, and end-of-contract data handling. A Data Processing Agreement (DPA) must be in place with every processor specifying: subject matter, duration, data types, controller rights, processor instructions, confidentiality, sub-processor obligations, and data return/destruction at contract end. Maintain a processor register with last security review date.
Privacy by Design — Embedding Controls at Product Level
New features undergo a privacy review during design — not at launch. Privacy controls are documented in feature specifications. Default settings are privacy-protective. Unnecessary fields are eliminated at design time. Access to personal data is restricted by role. Auditors expect: privacy review checklists for new features, DPIA records for high-risk features, and product specs demonstrating minimisation decisions were made at design time.
Frequently Asked Questions
The Record of Processing Activities (RoPA). It is simultaneously a regulatory requirement, audit artefact, data governance tool, and the foundation for most other privacy controls. It must document every processing activity with its purpose, legal basis, data categories, retention periods, recipients, and security measures.
No. Every control area requires three things: documented policies, technical implementation, and evidence that both are working in practice. A comprehensive policy library with no operational evidence will not pass a Stage 2 certification audit.
Quarterly reviews are the minimum. For fast-moving SaaS organisations, monthly or sprint-level reviews are more appropriate. Define triggers that require updates: new product features, new vendors, changes to processing purposes, organisational changes, and regulatory changes.
Annex B contains controller-specific controls: legal basis documentation, consent management, privacy notices, data subject rights processes, DPIAs, and purpose limitation. Annex C contains processor-specific controls: acting on controller instructions, sub-processor management, breach notification to controllers, and assisting with data subject rights requests.
No. DPIAs are required only for processing activities likely to result in high risk to individuals. This includes systematic profiling, large-scale special category data processing, systematic monitoring of public areas, and new technologies with novel privacy risks. However, maintaining a defined DPIA process is required for all controllers — the capability must exist even if not every activity triggers a full DPIA.