ISO 27701 Free Privacy Readiness Checklist

Leadership & Ownership

Scope, ownership, policies and measurable targets.

0/0 answered

We have clearly defined what personal data we manage and where our privacy program applies.

This defines what is in scope and out of scope for privacy management.

Show examples

A short scope statement listing systems, products, regions and teams handling personal data.
A clear list of in-scope tools (e.g. CRM, support) and out-of-scope items (e.g. retired systems).
Identification of key data types such as customer, employee or patient data.

Privacy ownership is assigned and responsibilities are documented (who decides, who does, who approves).

This ensures accountability and clear decision-making.

Show examples

A named privacy owner or lead with documented responsibilities.
Clear escalation paths for incidents, complaints and high-risk decisions.
Defined approval roles for privacy assessments and responses.

We have up-to-date privacy policies and procedures that people follow in practice.

Policies exist, are current, and are actually used.

Show examples

A current privacy notice published on your website or portal.
Internal procedures for handling privacy requests and incidents.
Documented retention, deletion and acceptable use rules.

We track a small set of privacy targets so leaders can see progress.

Leadership can see whether privacy is improving or declining.

Show examples

Targets for responding to privacy requests within a set timeframe.
Regular reporting on incidents, complaints or near misses.
Tracking privacy training completion rates.

Know Your Data

Your data register, where data flows, and how changes are assessed.

0/0 answered

We maintain a current register of how and why we process personal data.

This is your single source of truth for data processing.

Show examples

A register covering support, billing, marketing, product usage and HR.
Each entry lists purpose, data types, systems, vendors and retention.
The register is reviewed when new systems or vendors are introduced.

We can explain where personal data is collected, stored and shared.

You understand how data moves across systems and vendors.

Show examples

A simple diagram showing data flow from collection to storage.
A list of third parties receiving personal data.
Identification of offshore hosting or access.

We assess privacy risk before high-impact changes go live.

Privacy risk is considered before launching or changing systems.

Show examples

Privacy assessments completed for new features or data uses.
Reviews conducted when onboarding new vendors.
Documented risks and agreed mitigations.

Everyday Privacy Controls

Minimisation, access control, consent, requests and training.

0/0 answered

We only collect what we need, keep it only as long as needed, and restrict access appropriately.

Privacy-by-design controls are in place.

Show examples

Defined retention periods for customer and employee data.
Role-based access to sensitive information.
Automated deletion or anonymisation when data is no longer needed.

Where consent is needed, we can prove it and show when it changed or was withdrawn.

Consent decisions are traceable and auditable.

Show examples

Records showing when and how consent was captured.
Preference management or opt-out capability.
Audit logs of consent changes.

We can handle privacy requests from individuals within a defined timeframe.

Requests are tracked, completed and evidenced.

Show examples

A workflow or ticket system for privacy requests.
Identity checks before releasing personal data.
Records showing responses were sent on time.

Privacy training is assigned by role and we can show who completed it.

People understand their privacy responsibilities.

Show examples

Mandatory privacy training for new starters.
Additional training for high-risk roles.
Completion reports reviewed by management.

Vendors & Overseas Data

Vendor checks, contracts, and overseas transfer safeguards.

0/0 answered

We assess privacy risk in vendors and contracts define privacy expectations.

Third-party privacy risks are understood and managed.

Show examples

Vendor risk assessments completed before onboarding.
Privacy clauses included in supplier contracts.
Ongoing review of vendors handling personal data.

If personal data goes overseas, we assess and document transfer risks and safeguards.

Cross-border data handling is understood and controlled.

Show examples

Identification of systems with offshore access or hosting.
Documented assessment of overseas transfer risks.
Controls to monitor and manage transfers.

Evidence & Monitoring

Evidence storage, reporting, internal checks and leadership review.

0/0 answered

Privacy evidence is stored in one place with versioning so audits are easy.

Evidence is centralised and audit-ready.

Show examples

Central storage of policies, registers and assessments.
Version history enabled for key documents.
Clear ownership for maintaining records.

We report privacy activity so trends and repeat issues are visible.

Metrics support informed decision-making.

Show examples

Regular reporting on requests, incidents and complaints.
Trend analysis identifying recurring issues.
Metrics reviewed by leadership.

We check privacy controls internally and track fixes through to completion.

Issues are found early and resolved.

Show examples

Periodic internal privacy reviews.
Findings with owners and due dates.
Evidence that issues were fixed and verified.

Leaders review privacy performance and decide priorities and improvements.

Privacy is actively governed at leadership level.

Show examples

Management meetings covering privacy risks and metrics.
Recorded decisions on funding or improvements.
Follow-up actions tracked to completion.

Acronym guide (plain English)

PIMS — Privacy Information Management System

Your privacy governance, processes and evidence (how you manage personal information end-to-end).

PII — Personal information (identifiable data)

Data that identifies a person, directly or indirectly (e.g., name, email, patient ID).

DPO — Data Protection Officer (or privacy lead equivalent)

The person accountable for privacy oversight and advice (may be “Privacy Lead” in AU contexts).

PO — Privacy Officer

The person/team running privacy operations day-to-day.

ROPA — Record of Processing Activities (processing register)

A register of what personal data you process, why, where it flows, who you share it with, and retention.

DPIA — Data Protection Impact Assessment (high-risk privacy assessment)

Used for high-risk processing or major changes to identify risks and safeguards.

SRR — Subject Rights Request (privacy request)

Requests from individuals to access, correct, delete, export or object to data use.

KPI — Key Performance Indicator

A measurable target, e.g., “respond to privacy requests within X days”.

SLA — Service Level Agreement

A committed timeframe for completion/response (internal or customer-facing).

DD — Due diligence

A structured vendor check before onboarding or renewal (data, controls, contracts, risk).

DPA — Data Processing Agreement

Vendor contract terms governing personal data handling and security/privacy obligations.

SCC — Standard Contractual Clauses

Standard terms often used to support international transfers in certain jurisdictions.

TIA — Transfer Impact Assessment

Assessment of overseas transfer risks and safeguards.

M365 — Microsoft 365

Where evidence may be stored (e.g., SharePoint) with retention/versioning.

ISO 27701 privacy readiness checklist (free)

Objective

Scoring

Output

Leadership & Ownership

Know Your Data

Everyday Privacy Controls

Vendors & Overseas Data

Evidence & Monitoring

Acronym guide (plain English)

Before you download