Insight: Gestión de protección de datos personales en el sector finan

About the Authors and This Research

This study is co-authored by Shirley Katherine Bermeo-Pérez, Laura Alexandra Ureta-Arreaga, and Marco Yamba-Yugsi—three researchers with sustained expertise in information security and personal data governance in Ecuador. Laura Alexandra Ureta-Arreaga, in particular, has developed a research trajectory focused on translating international standards such as ISO/IEC 27701 into actionable compliance frameworks for financial institutions operating in emerging regulatory environments.

Published in the MQR academic journal (DOI: https://doi.org/10.56048/mqr20225.8.3.2024.3624-3638), the study employs a descriptive and applied methodology with a mixed-methods approach—combining quantitative risk assessment with qualitative analysis of legal compliance artifacts. The research site is a financial institution within Ecuador's "Popular and Solidarity Financial Sector" (Sector Financiero Popular y Solidario), a cooperative banking model characterized by handling sensitive personal and financial data of both individual members and institutional clients.

Ecuador's 2021 Organic Law on Personal Data Protection (LOPD) closely mirrors the structure of the EU's GDPR, making this study one of the few empirical validations of ISO 27701 implementation outside the European and North American contexts. For Taiwan enterprises, this provides a highly relevant comparative reference: how can organizations in jurisdictions with newly enacted privacy laws rapidly build a compliant and sustainable personal data management framework?

Core Findings: ISO 27701 Transforms Privacy Risk Management from Reactive to Systematic

The study's primary contribution is a validated end-to-end ISO/IEC 27701:2019 implementation pathway. The research team systematically identified all personal data processing activities at the target institution, constructed the legal artifact infrastructure required for regulatory compliance, and conducted a comprehensive risk assessment. The results confirmed that implementing personal data protection management based on ISO 27701 enabled the identification and mitigation of significant risks, measurably enhancing user security and trust.

Finding 1: Records of Processing Activities (RoPA) Are the Foundation—and the Most Overlooked Step

Prior to ISO 27701 implementation, the institution lacked systematic documentation of its personal data processing activities. The research team applied the recordkeeping requirements under ISO/IEC 27701:2019 Section 7.2.8 to construct a comprehensive RoPA, in the process uncovering multiple data flows that had previously fallen outside the institution's risk management scope. For Taiwan enterprises, this maps directly onto the obligations under Article 18 of the Personal Data Protection Act, which requires organizations to maintain the accuracy, completeness, and confidentiality of personal data—a requirement that is practically impossible to fulfill without knowing what data is being processed and where.

Finding 2: DPIA and Risk Assessment Must Be Integrated—Not Sequential

Using a mixed-methods approach, the research team executed Data Protection Impact Assessments (DPIA) for high-risk processing scenarios identified during the RoPA phase. The study found that credit evaluation, customer identity verification, and marketing activities represent the three highest-risk processing contexts in the financial sector. Critically, the research confirmed that risk assessment results must directly drive the design of security controls—not remain as standalone documentation exercises. This aligns with the standard established by Taiwan's Kaohsiung High Administrative Court, which held that a company's security measures must meet "the prevailing technological standards and industry norms" to effectively prevent foreseeable risks.

Finding 3: Organizational Culture Determines Whether Compliance Is Sustainable

The study explicitly frames organizational culture as the decisive variable in long-term compliance success. The authors recommend that institutions establish periodic risk assessments, regular management reviews, and adaptive mechanisms that respond to evolving regulatory and technological landscapes. This position is consistent with guidance from Japan's Personal Information Protection Commission (PPC), which emphasizes continuous privacy management as a foundational principle—and with Taiwan's own regulators, who have signaled increasingly active enforcement postures.

Implications for Taiwan PIMS Practice: Three Directly Actionable Insights

Taiwan enterprises in 2024 operate in a regulatory environment that closely parallels the scenario analyzed in this research. Article 27 of Taiwan's Personal Data Protection Act requires organizations to adopt "appropriate security measures," but the law provides no quantitative definition of "appropriate." This is precisely the gap that ISO/IEC 27701 fills: it provides an internationally recognized operational framework that makes "appropriate measures" concrete, verifiable, and auditable.

Three actionable insights emerge from this research for Taiwan enterprises:

First, building a complete RoPA is urgent and non-negotiable. This study demonstrates that financial institutions frequently cannot fully account for their own personal data processing activities before ISO 27701 implementation. Taiwan enterprises that cannot produce a RoPA will be severely disadvantaged in the event of a regulatory investigation, particularly following a data breach incident.

Second, DPIA should become standard operating procedure for high-risk business activities. GDPR Article 35 mandates DPIA for high-risk processing scenarios; while Taiwan's PDPA does not yet explicitly require DPIA, regulators have begun treating its execution as an indicator of "appropriate security measures." The three financial sector scenarios identified in this study—credit evaluation, identity verification, and marketing—are directly applicable to Taiwan financial institutions and fintech operators.

Third, privacy compliance and information security management (ISO 27001) must be integrated, not siloed. ISO 27701 is architecturally designed as an extension of ISO 27001. Taiwan enterprises that have already achieved ISO 27001 certification can reduce their ISO 27701 implementation effort by approximately 30% to 40%, while simultaneously building a more comprehensive compliance posture that addresses GDPR, Taiwan's PDPA, and emerging cross-border data transfer requirements.

How Winners Consulting Services Supports Taiwan Enterprises

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）assists Taiwan enterprises in implementing ISO 27701 standards, establishing personal data protection mechanisms compliant with GDPR and Taiwan's Personal Data Protection Act, and conducting DPIA assessments. Based on the findings of this research, we recommend the following three concrete actions:

1. Personal Data Inventory and RoPA Construction (Months 1–3): Systematically identify all personal data processing activities, establish a comprehensive RoPA, confirm the legal basis for each processing activity, and flag high-risk scenarios as priority targets for subsequent DPIA execution.
2. DPIA Execution for High-Risk Scenarios, Linked to Security Control Design (Months 3–7): Based on the three high-risk scenarios confirmed in this research (credit evaluation, identity verification, marketing activities), design scenario-specific DPIA templates and ensure assessment results directly drive the selection and implementation of security controls—not merely satisfy documentary compliance requirements.
3. Privacy Compliance Governance and Organizational Culture Development (Months 7–12): Design privacy policies, employee training programs, and periodic review mechanisms to ensure the ISO 27701 management system operates continuously as regulatory environments evolve, rather than functioning as a one-time certification project.

Frequently Asked Questions

What specific risks does ISO 27701 implementation actually reduce in financial institutions?

According to this study's empirical findings, financial institutions implementing ISO/IEC 27701:2019 achieved systematic identification and mitigation of significant personal data processing risks, with the most pronounced improvements in three scenarios: credit evaluation, customer identity verification, and marketing activities. Implementation enabled the construction of a traceable Records of Processing Activities (RoPA), substantially reducing risk blind spots and providing an evidence-based foundation for designing security controls. For Taiwan financial institutions, this directly addresses the "appropriate security measures" requirement under Article 27 of the Personal Data Protection Act, and reduces exposure to administrative penalties that regulators have increasingly been willing to impose.

What are the most common compliance challenges Taiwan enterprises face when implementing ISO 27701?

Taiwan enterprises most frequently encounter three challenges when implementing ISO 27701: first, the absence of a complete personal data processing inventory, making risk assessment impractical; second, the failure to integrate ISO 27001 information security management with personal data protection, resulting in two parallel but disconnected compliance systems; and third, insufficient employee privacy awareness, causing management mechanisms to exist only on paper. Additionally, many enterprises mistakenly assume ISO 27001 certification is sufficient for GDPR or Taiwan PDPA compliance. ISO 27701's specific requirements—including consent management, data subject rights response mechanisms, and cross-border transfer compliance design—fall outside ISO 27001's scope and must be separately addressed.

What are the core requirements of ISO 27701, and how should Taiwan enterprises implement it in phases?

ISO/IEC 27701 extends ISO 27001 with privacy-specific requirements, including: identification of the purpose and legal basis for personal data processing; mechanisms for responding to data subject rights (such as access rights and deletion rights); and maintenance of Records of Processing Activities. We recommend Taiwan enterprises adopt a three-phase approach: Phase 1 (Months 1–3): complete personal data inventory and RoPA construction; Phase 2 (Months 3–7): execute DPIA for high-risk scenarios and design and implement security controls; Phase 3 (Months 7–12): establish internal audit mechanisms, complete management review, and prepare for third-party certification.

What resources are required to implement ISO 27701, and how should ROI be assessed?

Resource requirements for ISO 27701 implementation vary by organizational scale. For enterprises that already hold ISO 27001 certification, the marginal cost of adding ISO 27701 can be reduced by approximately 30% to 40%, as the foundational management framework is already in place and incremental work focuses primarily on privacy-specific control design. For small and medium enterprises starting from zero, full implementation typically requires 7 to 12 months, with primary investments in consulting fees, internal staff training, and document system construction. On the benefits side, certification reduces exposure to regulatory administrative penalties, strengthens trust with clients and business partners, and reduces compliance barriers in cross-border business activities subject to GDPR requirements.

Why should Taiwan enterprises choose Winners Consulting Services for PIMS-related issues?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) is Taiwan's specialized consulting firm for ISO 27701 Privacy Information Management System implementation, with cross-industry experience spanning financial services, manufacturing, technology, and professional services. Our core advantage lies in our ability to map the ISO 27701 international framework against the specific requirements of Taiwan's Personal Data Protection Act and GDPR simultaneously, delivering an integrated "one framework, multi-law compliance" solution rather than fragmented point-by-point compliance. We provide end-to-end support—from current-state diagnostics and gap analysis through mechanism design, training, internal audit, and certification preparation—ensuring enterprises build a privacy compliance system designed to operate sustainably, not merely to achieve certification.

日本語版

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2024年にエクアドルの協同組合金融セクターで実施された実証研究から、台湾企業にとって極めて重要な知見を抽出した。ISO/IEC 27701:2019に基づく個人情報保護管理の導入は、重大な個人データ処理リスクを体系的に識別・低減するだけでなく、持続可能な法令遵守文化を組織内に構築する——この発見は、個人情報保護法（PDPA）の執行強化に直面する台湾企業に直接的な示唆を与えるものである。