Every organisation that handles personal data is, in some form, already subject to privacy obligations. Whether it is GDPR, DPDP, HIPAA, or a patchwork of state-level regulations, the question is no longer whether privacy compliance applies to you โ it is how you demonstrate it. ISO 27701 answers that question with a structured, internationally recognised framework. But the most common question is deceptively simple: do we actually need this?
Who Does ISO 27701 Apply To?
ISO 27701 is applicable to any organisation of any type, size, or nature that processes Personally Identifiable Information (PII). That is the standard's own statement of scope, and it is deliberately broad. If personal data flows through your systems โ as a core function or even incidentally โ ISO 27701 is relevant.
ISO 27701 is a voluntary standard, not a legal regulation. No law currently mandates ISO 27701 certification. However, enterprise buyers, regulated industries, and procurement teams are increasingly treating it as a baseline expectation, particularly for organisations handling significant volumes of personal data.
Controllers vs Processors โ The Foundational Distinction
PII Controller
A PII controller determines the purposes and means of processing personal data. You decide what data is collected, why, how it is used, and for how long. The individuals whose data you hold have a direct relationship with you.
PII Processor
A PII processor processes personal data on behalf of a controller, acting on the controller documented instructions. The processor does not determine the purpose โ they execute the processing in service of the controller objectives.
Many SaaS founders assume they are purely processors because they "just host data" for clients. In practice, most SaaS companies are controllers for at least some personal data โ particularly user account data, usage analytics, marketing data, and employee records. A data mapping exercise almost always reveals dual-role obligations.
What Each Role Actually Requires
| Requirement | PII Controller (Annex B) | PII Processor (Annex C) |
|---|---|---|
| Legal basis documentation | Must document for each processing activity | No independent basis required โ under controller instructions |
| Consent management | Must obtain, record, manage withdrawal | Must support controller consent obligations |
| Data subject rights | Must have operational process for all rights | Must assist controller in responding to requests |
| Data minimisation | Must enforce purpose limitation across all processing | Must not process beyond controller instructions |
| Privacy notices | Must provide directly to data subjects | Not directly responsible |
| Sub-processor management | Must assess and bind all processors | Must notify controller before engaging sub-processors |
| Breach notification | Must notify regulators and data subjects | Must notify controller without undue delay |
Industry-by-Industry Applicability Guide
| Industry | Typical Role | Key Driver for ISO 27701 |
|---|---|---|
| SaaS | Controller + Processor | Enterprise procurement questionnaires; GDPR for EU users; dual certification with ISO 27001 |
| FinTech | Controller | RBI/SEBI alignment; cross-border payment processing; enterprise banking client requirements |
| Healthcare | Controller or Processor | Special category data; strictest consent; HealthTech SaaS as processor for hospitals |
| Cloud / MSP | Processor | Enterprise buyer assurance; sub-processor management; breach notification capability |
| Manufacturing | Controller | European supply chain due diligence; vendor qualification alongside ISO 9001 and ISO 27001 |
Certification vs Internal Framework โ Which Is Right for You?
Pursue Formal Certification If:
- Enterprise customers are requesting ISO 27701 certification in vendor questionnaires
- You are subject to GDPR and want the strongest third-party evidence of compliance readiness
- You are already ISO 27001-certified and the incremental audit cost is low
- You are competing in regulated industries where certification is a differentiator
Use as Internal Framework If:
- You are building a privacy programme and certification is a future milestone
- Your customer base has not yet requested formal certification
- You are not yet ISO 27001-certified (pursue that first)
- You want to structure your DPDP or GDPR programme without formal audit overhead now
Prerequisites โ What You Need Before Starting
ISO 27701 is an extension to ISO 27001, not a standalone standard. If you are already ISO 27001-certified, the additional effort primarily involves extending the ISMS scope to PII, building the RoPA, implementing Annex B/C controls, and updating your Statement of Applicability.
If you are not yet ISO 27001-certified, the most efficient path is to pursue both certifications together in a single integrated programme. See our ISO 27001 Explained for Startups guide to get started on the foundation.
Self-Assessment โ Do You Need ISO 27701 Now?
| Question | If YES |
|---|---|
| Do you process personal data of EU or Indian users? | ISO 27701 urgency: High |
| Are enterprise buyers asking for privacy certifications? | ISO 27701 urgency: High |
| Do you hold ISO 27001 certification already? | Add ISO 27701 at next recertification |
| Do you process special category data (health, biometric, financial)? | ISO 27701 urgency: High |
| Do customers share their customers data with your platform? | Annex C controls directly applicable |
| Have you experienced a privacy incident in the past 24 months? | Demonstrates corrective action |
| Are you in a regulated industry (healthcare, fintech, government)? | ISO 27701 urgency: High |
Frequently Asked Questions
No. ISO 27701 is a voluntary international standard, not a legal regulation. No law currently mandates ISO 27701 certification. However, enterprise buyers and regulated industries increasingly treat it as a baseline expectation. The business case is driven by customer requirements, not legal mandate.
Technically no โ ISO 27701 is an extension to ISO 27001 and requires the ISMS foundation to be in place. However, you can pursue both certifications together in a single integrated programme, which is the most efficient path for organisations starting from scratch.
Almost certainly not. Most SaaS companies are controllers for at least some personal data โ user account information, usage analytics, marketing data, and employee records are all processing activities where you determine the purpose. A proper data mapping exercise will reveal your dual-role obligations.
ISO 27701 provides the operational framework for meeting DPDP Act obligations in a structured, auditable way. While the Act defines what obligations you have, ISO 27701 defines how to implement and demonstrate them. They are complementary โ the standard is a vehicle for meeting the regulation requirements.
For startups selling to enterprise customers, yes โ it accelerates sales cycles by replacing lengthy vendor questionnaires with a single credential. Even without formal certification, implementing ISO 27701 controls structures your privacy programme, produces documentation enterprise buyers ask for, and builds the foundation for future certification.