ISO 27701 PIMS Overview
Last updated: April 2026
ISO/IEC 27701:2019 extends ISO 27001 with privacy-specific requirements, establishing a Privacy Information Management System (PIMS). This page describes how FeatureSignals implements privacy controls, maps to GDPR requirements, and manages PII throughout its lifecycle.
PIMS Status: Implementation Phase
FeatureSignals is implementing ISO 27701 PIMS controls as an extension of our ISO 27001 ISMS. The PIMS framework is operational with internal assessments ongoing. All privacy controls documented below are implemented and operational.
What is ISO 27701?
ISO 27701 extends the ISO 27001 ISMS framework with privacy-specific requirements for both PII controllers and processors. It provides a structured approach to:
- Establishing, implementing, maintaining, and improving a PIMS
- Mapping privacy controls to GDPR, CCPA, and other privacy regulations
- Demonstrating compliance with data protection requirements
- Building trust with customers through certified privacy management
- Integrating privacy into the broader information security framework
PII Controller & Processor Controls
ISO 27701 distinguishes between controls for PII controllers and PII processors. FeatureSignals implements both sets, as we act as a processor for customer data and a controller for our own business data (billing, team accounts):
PII Controller Controls (ISO 27701 Clause 7.2)
| Control Category | ISO 27701 Reference | Implementation |
|---|---|---|
| Privacy policies & notices | 7.2.2 | Privacy Policy, cookie notice, DPF notice, transparency at collection points |
| Lawful basis for processing | 7.2.3 | Consent, contract necessity, legitimate interest — documented per processing purpose |
| Privacy by design | 7.2.5 | Data minimization, purpose limitation, access controls baked into architecture |
| Data subject rights | 7.2.6–7.2.8 | Self-service access, correction, deletion, portability — all API-backed |
| Consent management | 7.2.4 | Explicit consent capture, withdrawal mechanism, consent audit trail |
| Data Protection Impact Assessment | 7.2.9 | DPIA conducted for new processing activities, reviewed annually |
PII Processor Controls (ISO 27701 Clause 7.3)
| Control Category | ISO 27701 Reference | Implementation |
|---|---|---|
| Processing only on instructions | 7.3.2 | DPA strictly defines processing purposes, no processing beyond documented scope |
| Sub-processing authorization | 7.3.3–7.3.4 | Prior notification for new sub-processors, equivalent contractual terms |
| Confidentiality of personnel | 7.3.5 | Confidentiality agreements, access restrictions, need-to-know enforcement |
| Data breach notification | 7.3.6 | Controller notification within 24 hours of confirmed breach, incident response plan |
| Data retention & deletion | 7.3.7 | Defined retention periods, secure deletion (30-day grace, permanent purge), backup cycling |
| Assistance with controller obligations | 7.3.8 | API-based DSAR support, data export, DPIA assistance, audit support |
| Audit & compliance | 7.3.9 | Right to audit, SOC 2 evidence packages, CAIQ availability |
GDPR Mapping
ISO 27701 Annex D maps PIMS controls directly to GDPR articles. FeatureSignals uses this mapping to demonstrate GDPR compliance:
| GDPR Article | Requirement | ISO 27701 Control | FeatureSignals Implementation |
|---|---|---|---|
| Art. 5 | Data protection principles | 7.2.1–7.2.5 | Data minimization, purpose limitation, accuracy, storage limitation |
| Art. 15 | Right of access | 7.2.6 | API data export, self-service dashboard access |
| Art. 17 | Right to erasure | 7.2.8 | Soft delete + 30-day grace + permanent purge |
| Art. 20 | Data portability | 7.2.8 | JSON/CSV export, machine-readable formats |
| Art. 25 | Data protection by design | 7.2.5 | Privacy baked into hexagonal architecture, data minimization by default |
| Art. 28 | Processor obligations | 7.3.2–7.3.9 | DPA, sub-processor management, breach notification, audit rights |
| Art. 32 | Security of processing | 7.3.5 | TLS 1.3, AES-256, bcrypt, WAF, rate limiting, vulnerability scanning |
| Art. 33–34 | Breach notification | 7.3.6 | 24h notification to controller, 72h to supervisory authority |
PII Handling Lifecycle
FeatureSignals manages PII through its full lifecycle with documented controls at each stage:
Collection
PII is collected only for specified purposes. Data minimization is applied — only what's necessary for the service. Consent is captured where required. Privacy notices are provided at the point of collection.
Processing
PII is processed strictly in accordance with documented purposes in the DPA. Access is restricted by RBAC and need-to-know. Processing activities are logged for audit purposes.
Storage
PII is encrypted at rest (AES-256). Backups are encrypted. Data is stored in EU-based infrastructure (Hetzner, Falkenstein). Retention periods are enforced automatically.
Transfer
Cross-border transfers only with appropriate safeguards (DPF, SCCs, or adequacy decision). Sub-processors are vetted and contractually bound to equivalent protections.
Deletion
PII is permanently purged at end of retention. Two-phase deletion: soft delete (immediate) + hard delete (day 31). Audit log references are anonymized. Backups cycle out within 90 days.
Privacy by Design & Default
FeatureSignals incorporates privacy by design (PbD) and privacy by default (PbD) principles, as required by GDPR Article 25 and ISO 27701:
- Proactive not reactive: Privacy considered at the architecture level, not bolted on afterward
- Privacy as the default: Minimum data collection by default; users must opt in to additional data sharing
- Privacy embedded into design: Hexagonal architecture provides clear data boundaries
- Full functionality: Privacy controls do not degrade the service; feature flags work identically with minimal data
- End-to-end security: Data protected throughout its lifecycle — collection to deletion
- Visibility and transparency: Clear privacy documentation, accessible DPIA summaries
- Respect for user privacy: Data subject rights built into the product with self-service capabilities
DPO & Privacy Contact
For PIMS inquiries, DPIA requests, or privacy concerns: dpo@featuresignals.com