When organisations think about privacy compliance, the spotlight falls on data controllers. But behind every controller stands a network of third-party vendors who handle data on the controller behalf. These are data processors — and under modern privacy frameworks, they carry direct, legally enforceable obligations. ISO 27701 provides processors with a structured, internationally recognised framework to demonstrate responsible data handling.
Controller vs Processor — Understanding Your Role
| Aspect | Data Controller | Data Processor |
|---|---|---|
| Definition | Determines purpose and means of processing | Processes data on behalf of the controller |
| Decision-making | Decides why data is collected | Follows controller instructions |
| Legal basis | Must identify and document legal basis | Relies on controller legal basis |
| Data subject rights | Directly responsible to data subjects | Supports controller in fulfilling rights |
| GDPR liability | Primary liability for processing | Direct liability for processor obligations |
| Examples | Retailer, bank, hospital, employer | Cloud provider, payroll firm, email platform |
| ISO 27701 clauses | Clauses 7 and 8 (controller sections) | Clauses 7 and 9 (processor sections) |
If you process personal data according to your own purposes — even if you originally received the data from a client — you may be acting as a controller (or joint controller) for that processing. Always assess your actual role for each data processing activity.
How ISO 27701 Applies to Processors
For processors, the relevant requirements span: Clause 5 (PIMS-specific ISMS adaptations), Clause 6 (PIMS-specific ISO 27002 guidance), Clause 7.1 (shared requirements for controllers and processors), and Clause 9 (processor-specific operational controls). Processors are not required to implement Clause 8 (controller-specific controls) but must support controllers in fulfilling those obligations.
Clause 9 — Processor-Specific Controls
9.1 — Conditions for Collection and Processing
Every processing activity must be covered by a valid, documented instruction from the controller. Before beginning any processing, a Data Processing Agreement (DPA) must be in place covering: subject matter, duration, data types, categories of data subjects, controller obligations and rights, instructions scope, confidentiality, security measures, sub-processing restrictions, assistance with data subject rights, data deletion/return at contract end, and audit rights.
Processing personal data outside the scope of written controller instructions — even for seemingly benign purposes — constitutes a serious compliance violation. Processors that use client data for their own analytics, product improvement, or marketing without explicit authorisation may be acting as controllers and face direct regulatory liability.
9.2 — Obligations to Data Subjects
When a data subject contacts a processor directly (e.g., submitting an access request to a payroll provider), the processor must: promptly notify the relevant controller (within 1-2 business days), not respond directly unless the controller has authorised this, maintain a log of all requests received, and provide technical assistance to fulfil the request.
9.3 — Privacy by Design for Processors
Processors that build products or services used to process personal data must apply Privacy by Design: privacy requirements from the earliest design stages, data minimisation in system architecture, pseudonymisation and encryption by default, privacy-protective default settings, and documentation of privacy design decisions.
Sub-Processor Management (Clause 9.5)
Before engaging a sub-processor, the processor must: obtain specific or general written authorisation from the controller, notify the controller of any intended changes (allowing time to object), impose equivalent privacy obligations through a written contract, and conduct documented due diligence assessing security posture, certifications, data residency, breach procedures, and audit rights.
Under GDPR Article 28(4), the processor remains fully liable to the controller for the sub-processor performance. Appointing a sub-processor does not transfer or reduce the processor responsibility. This makes robust sub-processor due diligence and contractual controls essential.
Breach Notification — Processor Obligations (Clause 9.4)
| Stage | Processor Action | Timeframe |
|---|---|---|
| Initial Discovery | Notify controller with preliminary details | Within 24 hours |
| Ongoing Investigation | Provide progress updates to controller | Every 24-48 hours |
| Root Cause Identified | Full technical and forensic report | Within 72 hours of discovery |
| Remediation Complete | Confirm containment and corrective actions | Within agreed DPA timeframe |
| Post-Incident Review | Share lessons learned and improvements | Within 30 days |
Privacy by Design — For SaaS and Cloud Providers
For SaaS and cloud service providers, Clause 9.3 has significant product development implications. Configuration defaults, data retention settings, logging behaviours, and API access controls all fall within scope. This aligns with GDPR Article 25 — embedding privacy into your SDLC through impact checkpoints, design reviews, and developer training is the most efficient way to meet this obligation at scale.
Implementation — Step by Step
- Step 1: Establish your ISO 27001 foundation — ISO 27701 cannot be implemented without it
- Step 2: Conduct a gap analysis against Clauses 7.1 and 9
- Step 3: Build your processor-side Records of Processing Activities (RoPA)
- Step 4: Review and update all DPAs against Clause 9.1.1 requirements
- Step 5: Implement operational controls — access controls, logical data separation, incident response, sub-processor register, Privacy by Design checkpoints, retention schedules
- Step 6: Roll out role-specific privacy training across the organisation
- Step 7: Conduct internal audit of your PIMS against ISO 27701
- Step 8: Engage an accredited certification body for Stage 1 (documentation) and Stage 2 (implementation) audit
Business Benefits — For Third-Party Processors
| Benefit | Business Impact |
|---|---|
| Accelerated sales cycles | Pre-built evidence pack — reduce time-to-contract by weeks |
| Reduced audit fatigue | Certification accepted in lieu of individual client audits |
| Regulatory confidence | Auditable evidence reduces investigation risk and fines |
| Competitive differentiation | Certification distinguishes processor in crowded market |
| Improved breach response | Documented procedures — faster containment, lower costs |
| Global market access | Recognised standard supports multi-jurisdiction compliance |
For the controller-side requirements, read our companion guide on ISO 27701 for Data Controllers. For the full Annex A/B control walkthrough, see ISO 27701 Annex A Controls Explained.
Frequently Asked Questions
Yes. Under GDPR Article 83(4), processors can face fines of up to EUR 10 million or 2% of global annual turnover for violations of processor obligations — irrespective of any contractual arrangement with the controller. Processors have direct regulatory liability.
Not without explicit written authorisation from the controller. Processing personal data outside the documented scope constitutes a serious compliance violation. Processors that use client data for their own purposes may be reclassified as controllers for that processing and face direct regulatory liability.
Yes. ISO 27701 is an extension to ISO 27001 and cannot be implemented or certified in isolation. The PIMS is built on top of, and extends, the existing ISMS. If you are not yet ISO 27001 certified, pursue both together.
Promptly notify the relevant controller (typically within 1-2 business days), not respond to the data subject directly unless authorised by the controller, maintain a log of all requests received, and provide technical assistance needed to fulfil the request.
Without undue delay — typically within 24 hours for initial notification with preliminary details, with ongoing updates every 24-48 hours, and a full technical report within 72 hours of discovery. The specific timeframe should be documented in the DPA.