Data Privacy Frameworks: A Practical Guide
Start with what your market demands
Data privacy frameworks fall into two categories - regulations you must follow and standards you choose to adopt. Most organizations need a mix of both. The trick is knowing which ones actually apply to you rather than trying to tick every box on the list. Your answer depends on where your customers are, what data you handle, and what industry you operate in.
Regulations vs standards - a key distinction
Regulations are law. Non-compliance means fines, enforcement actions, and legal liability. You do not choose to comply with GDPR - if you process EU residents’ data, it applies whether you like it or not.
Standards and frameworks are voluntary. ISO 27701, SOC 2, and similar frameworks provide structured approaches to demonstrating privacy compliance. They help you build a privacy program and prove to clients, regulators, and auditors that you take data protection seriously. Some clients or contracts may require specific certifications, making “voluntary” more like “practically mandatory.”
The smartest approach is to use regulations as your compliance baseline and standards as the structure for meeting those requirements systematically.
The regulations you need to know
GDPR
The General Data Protection Regulation remains the most influential privacy regulation globally. It applies to any organization that processes personal data of EU residents - regardless of where you are based. The core requirements include lawful basis for processing, data subject rights (access, erasure, portability), 72-hour breach notification, data protection impact assessments for high-risk processing, and records of processing activities.
Penalties reach up to EUR 20 million or 4% of global annual revenue, whichever is higher. Beyond fines, regulators can order you to stop processing entirely - which for a data-driven business can be more damaging than any financial penalty.
CCPA/CPRA
California’s privacy laws give residents the right to know what data is collected, opt out of its sale, and request deletion. The California Privacy Rights Act (CPRA) expanded these protections in 2023 with a dedicated enforcement agency and new rights around sensitive personal information. If your business serves California residents and meets the revenue or data volume thresholds, these rules apply.
Sector-specific regulations
Some industries have additional requirements. HIPAA governs health data in the US. PCI DSS applies if you handle payment card data. Financial services face regulations from DORA in the EU to GLBA in the US. These layer on top of general privacy rules - you do not get to choose one or the other.
The standards that demonstrate compliance
ISO 27701 - Privacy Information Management
ISO 27701 extends ISO 27001 with privacy-specific controls. It maps directly to GDPR requirements, making it the most practical framework for organizations that need to demonstrate GDPR compliance through a recognized certification. If you already have an ISO 27001 ISMS, adding ISO 27701 is a natural next step - it builds on your existing management system rather than requiring a separate program.
We have covered the comparison between ISO 27701 and ISO 31700 in detail if you are evaluating both.
ISO 27001 - The security foundation
ISO 27001 is not a privacy standard, but it provides the security management system that privacy depends on. You cannot protect personal data without protecting information in general. The 2022 version includes 93 controls covering access management, encryption, incident response, supplier security, and more - all of which support privacy compliance.
Most organizations we work with start here. A solid ISMS gives you the foundation to layer on privacy-specific requirements from ISO 27701 or map to GDPR obligations.
SOC 2 - Trust through reporting
SOC 2’s Trust Services Criteria include a privacy category that evaluates how you collect, use, retain, disclose, and dispose of personal information. For SaaS companies serving the North American market, a SOC 2 Type II report with the privacy criterion included is often the quickest way to demonstrate data protection practices to enterprise clients.
For organizations that need both SOC 2 and ISO 27001, we have written about how the two overlap and how to implement them together.
How these frameworks connect
| Framework | Type | Scope | Best for |
|---|---|---|---|
| GDPR | Regulation | EU personal data | Any org processing EU resident data |
| CCPA/CPRA | Regulation | California personal data | US businesses meeting thresholds |
| HIPAA | Regulation | US health data | Healthcare and health tech |
| ISO 27001 | Standard | Information security broadly | Security foundation for any org |
| ISO 27701 | Standard | Privacy management (extends ISO 27001) | GDPR compliance demonstration |
| SOC 2 (Privacy) | Framework | Service provider trust | SaaS and cloud services, North America |
The important thing to understand is that these are not competing alternatives. Regulations tell you what you must do. Standards and frameworks give you a structured way to do it and prove it.
Which frameworks do you actually need?
If you process EU personal data: GDPR compliance is mandatory. ISO 27701 provides the most direct path to demonstrating compliance through certification. Start with ISO 27001 as your security foundation, then extend with ISO 27701 for privacy.
If you are a SaaS company with US clients: SOC 2 with the privacy criterion is likely your first ask from enterprise buyers. If you also serve EU clients, add ISO 27001 and ISO 27701.
If you handle health data in the US: HIPAA compliance is non-negotiable. ISO 27001 provides a strong management system that supports HIPAA’s administrative, physical, and technical safeguard requirements.
If you are not sure where to start: Begin with ISO 27001. It provides the broadest security and privacy foundation. From there, you can extend to ISO 27701 for privacy, pursue SOC 2 for the US market, or map to sector-specific regulations - all building on the same core management system.
Common mistakes
Building separate programs for each framework. We see organizations with a GDPR project, a separate ISO 27001 implementation, and a third track for SOC 2. This triples the documentation, the audit burden, and the team workload. Build one integrated program and map it to multiple frameworks.
Treating privacy as a legal problem only. Privacy compliance requires technical controls (encryption, access management, data minimization), organizational measures (policies, training, roles), and legal work (privacy notices, DPIAs, contracts). A lawyer-only approach leaves gaps that auditors and regulators will find.
Ignoring the standards because they are voluntary. A regulation tells you to “implement appropriate technical and organizational measures.” A standard like ISO 27001 or ISO 27701 tells you exactly what those measures look like in practice. Skipping the standards leaves you guessing about what “appropriate” means.
How 27kay can help
We help organizations build integrated privacy and security programs that satisfy multiple frameworks from a single implementation effort. Whether you need ISO 27001 as your security foundation, GDPR compliance through ISO 27701, or SOC 2 for your US clients, we design programs that cover your actual requirements without unnecessary duplication.
Not sure which frameworks apply to you? Let’s talk - we will map your obligations based on your markets, your data flows, and your clients’ expectations.