Free Privacy Management Policy Template (ISO 27701)
This is your internal privacy management policy (distinct from a public privacy notice) — the top-level document of an ISO 27701 Privacy Information Management System. It maps to the GDPR and sets out how your organization protects personal data (PII). Tailor the [Customize] points.
Organizations extending an ISO 27001 ISMS into privacy, or any business that wants a structured, GDPR-aligned approach to managing personal data internally.
Template
Privacy Information Management Policy
ISO/IEC 27701:2019 §5.2
1. Purpose, Scope & Context
This policy sets out how ✎ Company Name manages the protection of personally identifiable information (PII) within its Privacy Information Management System. It applies to all PII the organization processes as a ✎ controller and/or processor, across the systems in scope.
2. Commitments
The organization commits to:
- processing PII lawfully, fairly and transparently;
- satisfying applicable data protection law (including the GDPR) and contractual obligations;
- upholding data subject rights;
- applying privacy by design and default; and
- continually improving the privacy management system.
3. Roles & Responsibilities
✎ a privacy lead / DPO owns this policy and coordinates the PIMS. Where required, a Data Protection Officer is appointed. System and process owners apply privacy requirements in their areas; all personnel handle PII in line with this policy.
4. PII Controls
As a controller, the organization establishes lawful basis, limits purposes, and meets transparency obligations. As a processor, it acts only on documented instructions and supports the controller. The Record of PII Processing is maintained and reviewed.
5. Data Subject Rights & Breaches
Requests to access, correct, erase or port PII are handled within statutory timeframes. Personal data breaches are assessed and notified in line with the 72-hour rule where applicable, and recorded.
6. Compliance, Monitoring & Review
Compliance is mandatory. The PIMS is monitored through audits and management reviews. This policy is classified Internal, communicated to staff, and reviewed at least annually and after significant change.
✎ Highlighted items are placeholders — replace them with your organization's details.
Generate a tailored Privacy Information Management Policy instantly with CompliWiseAI
Skip the placeholders — get a version written for your company's industry, size, country and risk level, ready to review and export.
How to customize this template
- State clearly whether you act as a controller, a processor, or both — the obligations differ.
- Appoint and name a privacy lead or DPO where required, and record the decision.
- Keep this policy consistent with your public privacy notice and your Record of PII Processing.
- Embed privacy by design into your change and product processes, not just on paper.
- Align retention and rights handling with your actual systems and statutory timeframes.
What an auditor looks for
- •Does the policy address controller and/or processor obligations clearly?
- •Are data subject rights and breach notification covered?
- •Is there a Record of PII Processing, kept current?
- •Is privacy by design embedded in change processes?
Frequently asked questions
Is this the same as my website privacy policy?+
No. The public privacy notice tells data subjects how you use their data (GDPR Articles 13–14). This is the internal management policy that governs how your organization protects PII under ISO 27701.
Do I need ISO 27001 to use ISO 27701?+
ISO 27701 extends ISO 27001, so you implement both. This policy sits alongside your information security policy.
Does ISO 27701 satisfy the GDPR?+
It strongly supports GDPR accountability and maps to its articles, but certification is to the ISO standard rather than the GDPR itself.