Translation of GDPR article 32 into effective privacy governance and management practices. A view on GDPR ambiguity, non-compliancy risks and effectiveness of ISO 27701:2019 as Privacy Management System

Many organizations seem to struggle to translate the GDPR legislation into specific and effective (data privacy) governance, management & operational activities. The GDPR Enforcement Tracker (Law firm C|M|S, 2020) reported that the European Data Privacy Authorities fined non-compliance with the GDPR (up to 03.2020) with a total cumulative fine of € 332.000.000, a substantial materialized risk. Organizations with a focus on privacy risk mitigation often turn to worldwide accepted standards for guidance. A new ISO standard that has been released in 2019, ISO 27701:2019, aims to deliver specific guidance for the setup of a PIMS (Privacy Information Management System). This context has led to the formulation of the main research question of this paper: What are the most violated GDPR articles/aspects in combination with the highest fines? What are the (perceived) risks, ambiguities, the required governance and (change) management activities of this most violated GDPR article and are these effectively addressed in ISO 27701 as Privacy Information Management System