Criminal Compliance System & ISO 27701 Integration: A PIMS Guide for Taiwan Enterprises

An analysis by Winners Consulting Services Co., Ltd. finds that the latest 2024 research on criminal compliance from the University of Barcelona reveals that implementing a Criminal Compliance System (CCS) in the IT security sector is no longer an option but a core mechanism for preventing cybercrime risks and protecting corporate reputation. For Taiwanese enterprises facing the triple compliance pressure of GDPR, Taiwan's Personal Information Protection Act (PIPA), and ISO 27701, this provides a systematic framework worth referencing.

About the Author and This Study

Sandra Màrquez Postigo is a graduate of the Faculty of Law at the University of Barcelona (Universitat de Barcelona). This paper is her final degree thesis (Treball Final de Grau) for the 2023-2024 academic year, supervised by criminal law scholar Dr. Javier Cigüela Sola. Although it is an undergraduate thesis, its research perspective is quite mature: the author not only approaches the topic from the Spanish domestic legal framework but also broadly examines international trends in criminal compliance within the IT security sector, analyzing them through the lens of the EU legal framework.

The importance of this study lies in its use of a systematic literature review to comprehensively outline the legal basis, core elements, and implementation steps of Criminal Compliance. This fills a gap in academic literature, which has less frequently addressed the "criminal liability aspect" of IT security compliance. For Taiwanese corporate executives, this research offers an integrated perspective that combines legal risk management with cybersecurity governance, making it a valuable reference for their Privacy Information Management System (PIMS) strategies.

From Criminal Compliance to Cybersecurity Governance: Five Core Propositions from the Paper

The central argument of this paper is that compliance has evolved from a "trendy management tool" into a "key resource" for demonstrating an organization's commitment to ethical integrity, good governance, and long-term sustainability. The following are the main findings identified by the author through normative legal research:

Core Finding 1: A Criminal Compliance System (CCS) is the first line of defense against cybercrime.

The paper clearly states that an effective compliance program is a "critical bulwark" against criminal activities. Especially in the field of cybersecurity, with the rapid evolution of cybercrime since 2016, companies lacking a systematic CCS framework not only face financial losses from ransomware attacks and data theft but may also incur criminal liability for internal control failures. The author emphasizes that a CCS is not just a defensive tool but also the institutional foundation for building a corporate ethical culture.

Core Finding 2: The design and implementation of a CCS require five key steps.

The paper systematically outlines a design framework for a criminal compliance system, which includes: (1) risk assessment and identification, (2) design of control measures, (3) development of compliance policies, (4) training and personnel involvement, and (5) monitoring and continuous improvement. These five steps are highly consistent with the implementation logic of ISO 27701—particularly the privacy risk assessment (corresponding to DPIA) and continuous improvement mechanisms required by the standard. This indicates that there is a common, integrable foundation between criminal compliance and a Privacy Information Management System (PIMS) at the structural level.

Core Finding 3: Multidisciplinary professional talent is essential for the success of a CCS.

The paper specifically highlights that compliance work in the IT security field is highly complex, and professionals with a single legal or technical background are insufficient to manage the overall picture. The author points out the need for a combination of expertise from law, information security, risk management, and organizational behavior—this is precisely the talent gap that Taiwanese companies often face when promoting integrated compliance.

Three Key Implications of the Study for PIMS Practices in Taiwan

Although this study is based on the Spanish and EU legal systems, its core framework is highly relevant for Taiwanese enterprises. Especially with the ongoing advancement of the draft amendment to Taiwan's PIPA in 2023, the increasing enforcement of GDPR, and the growing demand for ISO 27701 certification, the following three implications deserve the attention of Taiwanese executives:

Implication 1: Personal data protection cannot rely solely on technical safeguards; a legal liability management mechanism must be established concurrently. Article 48 of Taiwan's PIPA stipulates administrative penalties for enterprises that fail to take appropriate security measures, while Article 83 of the GDPR imposes fines of up to €20 million or 4% of global annual turnover for serious violations. The paper notes that the core value of a CCS lies in integrating "legal liability" into daily management, which aligns with the spirit of ISO 27701 Clause 6.15, requiring a lawful basis for processing personal data. Taiwanese companies should shift their regulatory compliance mechanisms from reactive responses to proactive management.

Implication 2: DPIA (Data Protection Impact Assessment) should become a standard operating procedure, not a one-time activity. The paper emphasizes that a CCS requires "continuous monitoring" and "periodic review," which corresponds to the Data Protection Impact Assessment (DPIA) mechanism required by Article 35 of the GDPR. When implementing ISO 27701, Taiwanese companies should establish an SOP for conducting regular DPIAs and link the assessment results to their cybersecurity incident response plans to form a closed-loop management system.

Implication 3: The study's methodological limitations remind Taiwanese enterprises of the need for localized adaptation. Objectively, this paper is primarily based on the EU legal framework (especially Article 31bis of the Spanish Criminal Code) and lacks direct correspondence with the regulatory environment in the Asia-Pacific region, including Taiwan. When applying this framework, Taiwanese companies must integrate it with the local regulations of Taiwan's PIPA, the latest guidelines from competent authorities (such as the National Development Council and the Financial Supervisory Commission), and Asia-Pacific regulatory dynamics like the facial recognition guidelines issued by Japan's PPC in 2023. Such context-specific adjustments are necessary to create a truly applicable Taiwanese version of the GDPR compliance framework.

Winners Consulting Services Helps Taiwanese Enterprises Build Integrated Criminal Compliance and Privacy Protection Mechanisms

Winners Consulting Services Co., Ltd. assists Taiwanese enterprises in implementing the ISO 27701 standard, establishing personal data protection mechanisms that comply with GDPR and Taiwan's PIPA, and conducting DPIAs. Integrating the criminal compliance system framework revealed in this paper, we offer the following concrete action recommendations:

1. Conduct a CCS Gap Assessment: Compare your existing cybersecurity compliance mechanisms against the five-step framework proposed in the paper (risk identification → control design → policy development → training → monitoring and improvement), with a special focus on whether "criminal liability risk" has been included in the scope of your ISO 27701 management.
2. Establish a Regular DPIA Operational Mechanism: In accordance with GDPR Article 35 and ISO 27701 Clause 7.2.5, design a DPIA execution template and an annual review plan suitable for your company's scale, and ensure that the assessment results effectively feed back into the organization's data protection policies.
3. Form a Multidisciplinary Compliance Task Force: Echoing the paper's emphasis on multidisciplinary talent, we recommend that Taiwanese companies ensure their ISO 27701 certification task force includes representatives from legal, information security, HR, and business departments, and plan for no less than 8 hours of professional compliance training annually.

Frequently Asked Questions

What is the relationship between a Criminal Compliance System (CCS) and the PIMS of ISO 27701? Do companies need to implement them separately?

They are highly complementary in structure, and an integrated implementation is recommended. A Criminal Compliance System (CCS) focuses on managing a company's legal liability for criminal acts, while ISO 27701 concentrates on privacy protection for personal information. However, research by Màrquez Postigo (2024) reveals a significant overlap between the five-step CCS framework (risk assessment, control design, policy development, training, monitoring) and the PDCA cycle of ISO 27701. For Taiwanese companies facing both administrative penalties under Taiwan's PIPA and cross-border requirements from GDPR, an integrated strategy allows them to cover both sets of requirements within a single framework, saving at least 30% on redundant implementation costs. Winners Consulting Services offers such integrated implementation services.

What are the most common compliance challenges for Taiwanese companies implementing ISO 27701?

The three most common challenges for Taiwanese companies implementing ISO 27701 are: first, a lack of multidisciplinary talent proficient in both legal affairs and information security; second, integration gaps between their existing ISO 27001 framework and the privacy extension requirements of ISO 27701, especially in aligning Clause 6.15 'Legal basis for processing personal information' with Article 19 of Taiwan's PIPA regarding 'specific purposes of collection'; and third, the absence of a standardized process for DPIAs, often performing them as a one-time task rather than an ongoing mechanism. This paper's emphasis on continuous training and multidisciplinary involvement directly addresses these challenges.

What are the core requirements of ISO 27701 certification, and how long does implementation typically take?

The core requirements of ISO 27701 are built upon the ISO 27001 information security management system, adding privacy-specific controls. Key areas include establishing a lawful basis for collecting and processing personal information (corresponding to GDPR Article 6 and Taiwan PIPA Article 19), mechanisms for responding to data subject rights, implementing Privacy by Design principles, and a formal DPIA process. Regarding the timeline, companies already certified with ISO 27001 typically need 6 to 9 months to implement the ISO 27701 extension. For those without ISO 27001, a full implementation period of 10 to 14 months is recommended. The standard advisory period at Winners Consulting Services is 7 to 12 months, adjusted based on the company's size and maturity.

What resources are needed to implement ISO 27701, and how can the expected benefits be quantified?

Implementation costs vary by company size, but for a mid-sized enterprise (200-500 employees), the total cost—including external consultants, training, system adjustments, and certification fees—typically ranges from NT$1.5 million to NT$3.5 million. The expected benefits can be quantified in three ways: (1) Reduced legal risk: GDPR fines can reach €20 million or 4% of global annual turnover, and ISO 27701 certification serves as tangible proof of 'appropriate protective measures.' (2) Enhanced customer trust: For B2B businesses dealing with European or American clients, ISO 27701 is becoming a prerequisite in supplier vetting. (3) Improved internal efficiency: A systematic compliance framework reduces incident response costs, with some companies reporting a 25% increase in internal audit efficiency.

Why choose Winners Consulting Services for assistance with Privacy Information Management System (PIMS) issues?

Winners Consulting Services Co., Ltd. is a specialized consulting firm in Taiwan focusing on PIMS and ISO 27701 certification, offering several key advantages. First, we provide localized guidance that deeply integrates the frameworks of GDPR, Taiwan's PIPA, and ISO 27701, helping clients achieve multiple compliance goals under a single management system. Second, our team has a multidisciplinary background in law, information security, and organizational management, addressing the need for diverse expertise highlighted in this research. Third, our standard 7-to-12-month advisory service provides end-to-end support from gap analysis and system design to personnel training and certification audits. Fourth, we offer a free PIMS health check, allowing companies to assess their current status and prioritize improvements before committing resources.