Training Module
Operational Privacy Controls
Implement role-based privacy controls and data subject rights handling within an ISO/IEC 27701-aligned PIMS
Overview
ISO/IEC 27701 requires privacy controls to be defined, assigned, executed, and evidenced. The real challenge is not documenting controls, but making them work in daily operations.
This module focuses on implementing and sustaining operational privacy controls and data subject rights processes within a Privacy Information Management System (PIMS). Participants learn how to translate ISO/IEC 27701 role-based requirements for PII controllers and processors into workflows, ownership models, documented procedures, and reliable records.
The emphasis is on operational clarity: clear responsibilities, structured handoffs, consistent request handling, and traceable evidence that controls are functioning as intended.
Applicable environments
This module applies to organisations implementing or operating a Privacy Information Management System (PIMS) in line with ISO/IEC 27701. It focuses on how the standard’s requirements are interpreted and applied in practice within real organisational contexts.
The content is relevant for organisations seeking certification as well as for those using ISO/IEC 27701 as a reference framework to structure responsibilities, processes, and controls in the data protection domain.
Target audience
People involved in implementing, operating, or improving a PIMS aligned with ISO/IEC 27701
Executives and department heads accountable for the effectiveness and performance of a PIMS
Those responsible for processes, policies, IT systems, risks, and controls related to data protection
Auditors of ISO/IEC 27701 who want to deepen their understanding of management-side best practices (not audit technique)
Decision support
Is this module for you?
Agenda
Operationalising ISO/IEC 27701 controls in a stand-alone PIMS
From control statements to workflows and evidence
Controller controls: operating patterns
Processor controls: operating patterns
Supplier and sub-processor interfaces
Data subject rights handling as a managed process
Special cases and failure modes
Sustaining operational controls over time
Technology as an enabler
Case-based workshop
Show detailed agenda...
Learning outcomes
Key outcomes
Operationalise ISO/IEC 27701 controls in a stand-alone PIMS
Design and run a structured data subject rights process
Establish and govern privacy control interfaces across roles and suppliers
Additional capabilities
Define proportionate, auditable evidence
Manage complex DSAR cases
Clarify controller and processor operating patterns
Maintain control effectiveness as environments change
Materials
Learning materials
Slide deck
Participant workbook
Templates & tools
Practical, reusable artefacts to apply the module directly to your organisation.
Control register template
Control to workflow mapping sheet
Adjustable DSAR process
DSAR intake & triage checklist
DSAR documentation template
Supplier interface & assistance checklist
Confirmation
Certificate of completion
Module ID
HAM-DP-S-03
Discipline
ISO standard
Standard clause
8: Operation
Target audience
Public delivery
Live virtual
Duration
7 h
List price
CHF 550
Excl. VAT. VAT may apply depending on customer location and status.
Delivery
Live virtual delivery
This module is delivered live online and combines conceptual framing, discussion, case work and direct interaction with the instructor.
A public cohort is currently not scheduled. If you register your interest, we will notify you when a new public cohort is scheduled or suitable delivery options become available.
Custom delivery options
For organisations with specific constraints or learning objectives, the module can be adapted in format or scope, including in-house delivery and contextualised case material.
For an optimal learning experience
Prerequisites & preparation
This module is designed as part of a modular training approach. Topics are deliberately distributed across modules and are not repeated in full, in order to avoid unnecessary redundancy. Each module is self-contained and can be taken on its own. Where prior knowledge or experience is helpful, this is indicated below so you can decide whether any preparation is useful for you.
Assumed background
This module assumes participants can already work with core privacy concepts and can navigate their organisation’s processing reality.
Helpful background includes:
Basic privacy / data protection concepts and terminology (PII, processing, recipients, retention, disclosure)
Clarity on processing context, roles, and scope artefacts (at least at a high level)
Familiarity with internal workflows and systems where PII is handled (ticketing, CRM, HRIS, support tooling, shared drives)
Preparatory modules
Foundational modules (depending on background)
Useful if you are new to the underlying concepts or want a shared baseline before attending this module.
Supporting modules (optional)
Helpful if you want to deepen related skills, but not required to participate effectively.
