About the Author and Research Background

Bjørn Inge Sletta is a Nordic information security and data protection researcher whose 2021 master's thesis, published on arXiv, presents one of the most comprehensive cross-organizational studies of GDPR implementation within a regulated industry. The European lottery sector was chosen deliberately: lottery operators handle large volumes of sensitive personal data including real-name member accounts, financial transaction records, and behavioral gambling data. This data profile closely mirrors the challenges faced by e-commerce platforms, fintech companies, and digital health services — making Sletta's findings broadly applicable beyond the gaming industry.

The research methodology combines three distinct data collection approaches: structured questionnaires sent to lottery operators and regulatory bodies across multiple European countries, automated website analysis to assess publicly observable privacy practices, and focus group interviews to capture organizational perspectives on compliance. This triangulated design allows Sletta to systematically compare what organizations claim about their compliance versus what can actually be verified through external observation — a gap that proves to be significant and consistent across the sample.

The theoretical framework of the thesis encompasses GDPR Articles 5, 13, 14, and 35; the ISO 27000 series of information security standards; lottery-specific security frameworks; and foundational privacy concepts including Privacy by Design (Article 25 GDPR) and data minimization principles.

Core Research Findings: Framework Existence Does Not Guarantee Practice Consistency

The central finding of Sletta's research is that significant variations exist in data protection practices among European lottery operators, despite all being subject to the same GDPR framework. This finding directly challenges the common assumption that regulatory harmonization produces compliance uniformity. The implications for organizations operating in any regulated data environment are substantial.

Finding 1: Transparency Is the Most Widespread and Persistent Compliance Gap

Through systematic website inspection and automated analysis, the research identifies transparency — the obligation to clearly inform data subjects about how their personal data is collected, used, and shared — as the most consistently deficient area across the sample. Privacy notices suffer from poor readability, incomplete content (missing required GDPR Article 13 and 14 elements), and low accessibility for non-specialist users. This finding aligns precisely with the European Data Protection Board's (EDPB) 2026-2027 work plan, which designates transparency as a primary enforcement focus. The EDPB's decision to develop standardized templates for privacy notices, legitimate interest assessments, and Data Protection Impact Assessments (DPIAs) is a direct systemic response to the widespread transparency deficiencies documented in research like Sletta's.

Finding 2: ISO 27000 Series Provides an Insufficient Foundation for Privacy Compliance Without Extension to ISO 27701

Sletta's analysis of ISO 27000 series standards in the context of GDPR compliance reveals a critical conceptual gap: information security management (ISO 27001) and personal data protection compliance (GDPR) address overlapping but fundamentally distinct domains. ISO 27001 focuses on the confidentiality, integrity, and availability of information assets. GDPR — and by extension ISO 27701 — additionally requires management of data subject rights, consent lifecycle management, cross-border data transfer assessment, and lawful basis documentation. Organizations holding ISO 27001 certification may have systematic blind spots in precisely these GDPR-specific requirements. ISO 27701, as the Privacy Information Management System (PIMS) extension to ISO 27001, was designed to close this gap.

Finding 3: Cultural and Organizational Factors Produce Compliance Quality Differences Within Identical Regulatory Environments

The research identifies that compliance variations between lottery operators are partially attributable to differences in organizational culture, management prioritization of privacy, and staff training depth — not solely to differences in regulatory interpretation. This finding has direct implications for Taiwan enterprises: legal compliance documents and certification alone cannot substitute for genuine privacy culture. The depth of employee understanding, the visibility of senior management commitment to data protection, and the operational integration of privacy considerations into daily workflows collectively determine whether a GDPR compliance framework produces actual protective outcomes.

Implications for Taiwan Enterprises: Practical PIMS Applications

Sletta's research findings translate into three immediate action imperatives for Taiwan enterprises, particularly those with European market exposure or processing personal data of EU residents under GDPR jurisdiction.

First: Transparency Audit as an Immediate Priority
Taiwan's Personal Data Protection Act (個資法) Article 8 establishes notification obligations when collecting personal data. However, regulatory requirements and practical compliance quality are often misaligned. Taiwan enterprises should benchmark their privacy notices against the GDPR Articles 13 and 14 checklist — covering lawful basis declaration, data retention periods, data subject rights enumeration, and third-party sharing disclosure — regardless of whether they are directly subject to GDPR. The EDPB's forthcoming standardized templates provide a practical reference standard accessible to any organization globally.

Second: Establishing Systematic DPIA Processes
Sletta's research underscores that Data Protection Impact Assessments (DPIAs) should function as a standard pre-processing procedure for high-risk data activities, not as an exceptional measure triggered only by major system deployments. GDPR Article 35 mandates DPIAs for specific high-risk processing categories. While Taiwan's Personal Data Protection Act does not contain an equivalent explicit mandate, the risk management philosophy is substantively aligned. Building a normalized DPIA process — with clear triggers, standardized methodology, and documented outcomes — is the most effective single mechanism for converting privacy compliance from a reactive posture to proactive risk management.

Third: ISO 27701 as the Integration Framework for Security and Privacy Compliance
For the significant portion of Taiwan enterprises that hold ISO 27001 certification, ISO 27701 represents a structured and relatively cost-efficient pathway to comprehensive privacy compliance. The marginal investment required to extend an existing ISO 27001 management system to incorporate ISO 27701 privacy controls is substantially lower than building a standalone privacy management system. The resulting integrated GDPR compliance framework provides documented evidence of compliance that is verifiable by external parties — customers, regulators, and business partners alike.

How Winners Consulting Services Co. Ltd. Supports Taiwan Enterprises

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）assists Taiwan enterprises in implementing ISO 27701, establishing personal data protection mechanisms compliant with both GDPR and Taiwan's Personal Data Protection Act, and conducting systematic DPIA processes. Based directly on Sletta's research findings, we recommend the following phased action plan:

1. Months 1–3: Transparency Audit and Privacy Notice Reconstruction
   Conduct a structured audit of all existing privacy notices, cookie policies, and data processing descriptions against the GDPR Articles 13 and 14 checklist and Taiwan Personal Data Protection Act Article 8 requirements. Identify gaps in readability, completeness, and accessibility. Redesign privacy communication materials incorporating Privacy UX/UI principles to ensure data subjects can genuinely understand and exercise their rights. Benchmark against EDPB standardized templates as they become available in 2026-2027.
2. Months 4–8: ISO 27701 Gap Analysis and Management System Build
   For enterprises with existing ISO 27001 certification: execute a formal ISO 27701 gap analysis, identifying privacy extension control gaps. Build the required management artifacts: Record of Processing Activities (RoPA), legitimate interest assessment procedures, consent lifecycle management processes, and cross-border data transfer assessment protocols. Simultaneously establish a normalized DPIA process with documented triggers, methodology, and review cycles. Target internal audit readiness by month 8.
3. Months 9–12: Certification Application and Continuous Improvement Mechanism
   Complete ISO 27701 certification documentation and management records. Schedule and complete third-party verification audit. Establish continuous monitoring mechanisms including annual minimum DPIA reviews, privacy notice update protocols, and regulatory change monitoring and response procedures. The goal is sustainable compliance that maintains certification status through ongoing organizational practice rather than periodic remediation.

Frequently Asked Questions

What specific insights does European lottery GDPR research offer for Taiwan enterprises not in the gaming industry?

The most transferable insight from Sletta's (2021) research is that compliance variation within the same regulatory framework is the norm, not the exception. The European lottery industry's data profile — real-name member accounts, financial transaction records, behavioral data — closely mirrors e-commerce, fintech, and health information platforms. The three identified weakness areas (transparency, data subject rights operationalization, and cultural compliance factors) are industry-agnostic. Taiwan enterprises can use this research as evidence-based justification for investing in systematic compliance improvement rather than treating current practices as adequate simply because no enforcement action has occurred.

How does ISO 27701 differ from ISO 27001, and why does Taiwan enterprise need both?

ISO 27001 addresses information security management — protecting the confidentiality, integrity, and availability of information assets. ISO 27701 extends this to privacy information management, adding specific controls for personal data processing transparency, data subject rights management, consent lifecycle, and cross-border transfer assessment. Sletta's research demonstrates that information security certification alone leaves systematic gaps in GDPR-specific requirements. For Taiwan enterprises with European customers or processing EU residents' data under GDPR jurisdiction, ISO 27701 provides the structured extension that converts ISO 27001 security foundations into a comprehensive privacy compliance framework aligned with both GDPR and Taiwan's Personal Data Protection Act.

What is a realistic timeline and resource requirement for ISO 27701 certification in Taiwan?

For enterprises with existing ISO 27001 certification, the realistic ISO 27701 implementation timeline is 7 to 10 months: months 1-2 for current state assessment and gap analysis; months 3-5 for management system build (RoPA, DPIA process, consent management, data subject request procedures); months 6-7 for internal audit and management review; months 8-10 for third-party verification audit and certification. Resource requirements for a mid-sized enterprise (200-500 employees) typically include external consulting support plus 20-30% of a designated privacy officer's working time throughout the implementation period. For enterprises without ISO 27001, add 3-6 months for the foundational information security management system build.

How should Taiwan enterprises prioritize DPIA implementation given limited internal resources?

The most resource-efficient approach is to establish a DPIA trigger framework before attempting to DPIA all existing processing activities. Define the criteria that require DPIA initiation — matching GDPR Article 35(3) high-risk categories: systematic profiling, large-scale processing of sensitive data, systematic monitoring of publicly accessible spaces — and apply these triggers prospectively to new processing activities. For existing activities, prioritize DPIAs for the top 5-10 highest risk processing operations in year one. A normalized DPIA template that reduces completion time to 8-16 hours per assessment makes the process sustainable at scale. EDPB's forthcoming DPIA template will provide a practical reference document for Taiwan enterprises implementing this framework.

Why should Taiwan enterprises choose Winners Consulting Services Co. Ltd. for PIMS and ISO 27701 implementation?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides end-to-end Privacy Information Management System support — from diagnostic assessment through certification — with demonstrated expertise spanning GDPR compliance frameworks, ISO 27701 implementation, and Taiwan's Personal Data Protection Act requirements simultaneously. Our distinctive competency is integrating these three regulatory dimensions into a single coherent management system, avoiding the common failure mode of building separate compliance silos that create administrative burden without proportionate compliance value. For Taiwan enterprises with European market exposure, we design GDPR and Taiwan Personal Data Protection Act dual-compliance frameworks that maximize the return on each compliance investment by meeting multiple regulatory requirements through a unified management architecture.

欧州宝くじ業界のGDPR研究から学ぶ：台湾企業のISO 27701とプライバシー情報管理（PIMS）実装ガイド

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2021年に発表された欧州宝くじ業界のGDPRコンプライアンス状況に関する包括的研究から、台湾企業にとって重要な示唆を抽出した。Bjørn Inge Slettaによるこの研究は、同一の規制フレームワーク下においても、組織間でデータ保護の実践品質に顕著な差異が存在することを実証している。この発見は、ISO 27001認証のみでは個人データ保護コンプライアンスを完全にカバーできないことを示す証拠であり、ISO 27701の導入とDPIAの体系化が台湾企業にとって不可欠であることを強く示唆している。