Insight: TIKD: A Trusted Integrated Knowledge Dataspace for Sensitive

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in Privacy Information Management System (PIMS), presents a landmark 2022 research finding that every Taiwanese enterprise executive should know: by implementing the TIKD (Trusted Integrated Knowledge Dataspace) architecture, a real-world healthcare data collaboration platform achieved ISO 27001 compliance growth from 50% to 85% and ISO 27701 privacy compliance growth from 64% to 90%—delivering quantifiable, auditable proof that systematic PIMS implementation works. For organizations evaluating ISO 27701 certification, GDPR compliance, or preparing for DPIA (Data Protection Impact Assessment), this research offers a replicable compliance architecture grounded in actual deployment evidence.

About the Authors and This Research

This paper was co-authored by three researchers with backgrounds spanning knowledge graph engineering, semantic web technologies, and privacy governance. Lead author Julio C. Hernández-Hernández carries an h-index of 2 with 16 cumulative citations, focusing on the intersection of Linked Data technologies and regulatory compliance architecture. Co-author Rob Brennan is a recognized figure in European open data governance and semantic interoperability, with sustained engagement from the GDPR practitioner community. Lucy McKenna brings expertise in knowledge representation and data interlinking, contributing to the technical precision of the TIKD framework design.

Published in 2022 as part of an edited volume on Privacy Information Management, this paper has since received 5 citations, including 1 high-impact citation—a meaningful signal for a domain-specific technical study. What distinguishes this research from purely theoretical work is its grounding in the ARK-Virus Project, a live socio-technical risk governance system deployed across multiple collaborating healthcare institutions to manage personal protective equipment (PPE) risk. The evaluation was conducted using real system data, with before-and-after measurements using both the ISO 27001 Gap Analysis Tool (GAT) and the ISO 27701 standard—making its compliance improvement figures directly actionable for enterprise planners.

The Core Insight: Why Existing Dataspaces Fail on Privacy—and How TIKD Fixes It

The fundamental research problem this paper addresses is one that resonates acutely with Taiwanese enterprise IT and compliance teams: most existing shared dataspace architectures define how to access data, but systematically ignore how sensitive personal data and privacy-aware audit logs should be integrated into the security infrastructure. This gap between data access architecture and privacy compliance architecture is precisely where GDPR violations—and Taiwan Personal Information Protection Act (PIPA) exposures—typically originate.

TIKD was designed to bridge this gap by complementing existing dataspace security approaches with four specific privacy-enabling capabilities: personal data handling governance, data privilege management, pseudonymization of user activity logging, and privacy-aware data interlinking services. These four pillars map directly onto GDPR Article 25 (Data Protection by Design and by Default), GDPR Article 30 (Records of Processing Activities), and the technical safeguard requirements of ISO 27701.

Core Finding 1: Dual-Standard Compliance Improvement at Scale

The most immediately actionable finding for Taiwanese enterprise executives is the measured compliance improvement achieved by implementing TIKD on the ARK Platform. Using the ISO 27001 Gap Analysis Tool (GAT) and ISO 27701 standard evaluations conducted both before and after TIKD deployment, the research team documented ISO 27001 information security compliance rising from 50% to 85%—a 35 percentage point increase—and ISO 27701 privacy information management compliance rising from 64% to 90%—a 26 percentage point increase. These figures are not simulated projections; they are audit-grade measurements from a production deployment. For Taiwanese enterprises currently sitting at low ISO 27701 compliance baselines, this research provides evidence-based confidence that systematic PIMS implementation can close compliance gaps within a defined project timeframe.

Core Finding 2: Pseudonymization and Privacy-Aware Logging as Compliance Multipliers

Beyond the headline compliance figures, the research reveals a technically important insight: pseudonymization of user activity logging and privacy-aware data interlinking services function as compliance multipliers—they simultaneously address multiple regulatory requirements across both ISO 27001 and ISO 27701. Pseudonymization satisfies GDPR Article 4(5) definitional requirements, reduces the personal data breach notification scope under GDPR Article 33, and directly supports the data minimization principle under GDPR Article 5(1)(c). For organizations conducting DPIA assessments, these technical measures are among the most effective risk reduction controls that can be documented. Taiwan's PIPA similarly recognizes the use of technical de-identification and access control measures as evidence of fulfilling data security maintenance obligations under Article 27.

Implications for Taiwan Enterprise PIMS Practice: What This Research Means Right Now

Taiwan enterprises operating in sectors that handle sensitive personal data—healthcare, financial services, e-commerce, HR technology, and cross-border business services—face a convergent compliance pressure from three directions: Taiwan's Personal Information Protection Act (PIPA), GDPR obligations arising from handling EU residents' data, and the increasingly mandatory ISO 27701 certification requirements embedded in enterprise procurement and partnership agreements. The TIKD research provides a practical architecture reference for navigating all three simultaneously.

The first implication is structural: compliance cannot be achieved by documentation alone. The ARK Platform's pre-TIKD state—50% ISO 27001 compliance and 64% ISO 27701 compliance despite having existing security infrastructure—demonstrates that without purpose-built privacy technical controls, even organizations with security awareness will accumulate compliance deficits. Taiwanese enterprises that rely solely on policy documents and periodic training to meet PIPA and GDPR requirements are likely operating with similar hidden compliance gaps.

The second implication concerns the sequence of PIMS implementation. The research validates a gap analysis-first approach: measure current compliance against ISO 27701, identify specific control deficiencies, design targeted technical and organizational measures, implement, and re-evaluate. This PDCA-grounded sequence is precisely what ISO 27701 mandates—and what Taiwanese enterprises should adopt as their PIMS roadmap.

The third implication is sector-specific. For Taiwanese healthcare providers, biotech firms, and health data processors engaging in cross-institutional data collaboration, the TIKD architecture's demonstration in a multi-institution healthcare environment is directly applicable. Taiwan's Health and Welfare Data Protection Regulations and PIPA both impose heightened obligations on sensitive medical data processing—obligations that align closely with the privacy-aware data sharing controls TIKD implements.

Finally, for enterprises preparing for ISO 27701 certification audits, the use of the ISO 27001 GAT as a baseline measurement tool—combined with ISO 27701 gap analysis—is a best practice this research empirically validates. Starting the certification journey with structured gap analysis, rather than attempting to build documentation from scratch, consistently produces more efficient and audit-ready outcomes.

The Winners Consulting Perspective: Translating TIKD Insights into Taiwan Enterprise Action

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) assists Taiwanese enterprises in implementing ISO 27701 standards, building personal data protection mechanisms compliant with GDPR and Taiwan's PIPA, and conducting DPIA assessments. Our consulting approach does not deliver generic document templates—it delivers context-specific, operationally deployable privacy information management mechanisms calibrated to each enterprise's business processes, data flows, and risk profile.

1. Conduct an ISO 27701 Gap Analysis Before Any Other Action: Mirroring the methodology validated in the TIKD research, Winners Consulting begins every PIMS engagement with a structured gap analysis using ISO 27701 as the primary benchmark. This produces a quantified compliance baseline—the equivalent of the ARK Platform's pre-TIKD measurement—that serves as both a prioritization tool and an objective record for subsequent audit evidence. Enterprises cannot improve what they have not measured.
2. Design and Implement Pseudonymization and Access Privilege Architecture: Drawing directly from the TIKD framework's validated technical pillars, Winners Consulting designs pseudonymization protocols for user activity logging and multi-tier data privilege management structures tailored to each enterprise's data processing landscape. These controls simultaneously address GDPR Article 25 Data Protection by Design requirements, ISO 27701 technical safeguard clauses, and Taiwan PIPA Article 27 security maintenance obligations—delivering maximum regulatory coverage per implementation effort.
3. Integrate DPIA into a Living ISO 27701 PIMS Cycle: A DPIA assessment is not a one-time document—it is a recurring risk governance activity that must be embedded into the ISO 27701 PDCA improvement cycle. Winners Consulting structures DPIA programs so that assessment triggers, methodology, documentation, and review schedules are operationalized within the enterprise's existing management systems, ensuring that new products, vendors, or data processing activities automatically invoke the appropriate privacy risk review before deployment.

Frequently Asked Questions

Our organization already has ISO 27001 certification. Is ISO 27701 still necessary?

Yes—the two standards address fundamentally different compliance dimensions, and the TIKD research makes this unmistakably clear. The ARK Platform entered the study with existing security infrastructure yet achieved only 50% ISO 27001 compliance and 64% ISO 27701 compliance before TIKD implementation. ISO 27001 governs information security management broadly (confidentiality, integrity, availability), while ISO 27701 specifically governs privacy information management for personal data processing. For any Taiwanese enterprise processing EU residents' data under GDPR, or managing sensitive personal data under Taiwan's PIPA, ISO 27701 fills the regulatory gap that ISO 27001 cannot. Winners Consulting offers an incremental ISO 27701 extension pathway for ISO 27001-certified organizations that minimizes duplicate effort while maximizing compliance uplift.

What are the most commonly overlooked GDPR compliance requirements for Taiwanese enterprises?

Based on our consulting experience, three requirements are most frequently underimplemented. First, GDPR Article 25 (Data Protection by Design and by Default) is often satisfied by policy declaration rather than technical implementation—enterprises have privacy notices but not privacy-engineered systems. Second, Records of Processing Activities under GDPR Article 30, particularly for cross-border transfers to non-EU entities and third-party processor relationships, are routinely incomplete. Third, DPIA trigger criteria under GDPR Article 35 are poorly understood, resulting in high-risk processing activities launching without mandatory assessment. The TIKD research directly addresses the first gap through its pseudonymization and privacy-aware logging architecture. Winners Consulting's diagnostic service systematically audits all three dimensions.

What is the business value of ISO 27701 certification for Taiwanese enterprises beyond regulatory compliance?

ISO 27701 certification delivers tangible commercial advantages across three dimensions. First, it functions as a recognized GDPR compliance signal for European clients, partners, and regulators—reducing legal friction in cross-border transactions and procurement evaluations. Second, it establishes documented evidence of security maintenance obligations under Taiwan's PIPA, which can reduce liability exposure in the event of a personal data incident (maximum administrative fines under Taiwan PIPA can reach NTD 15 million). Third, ISO 27701 certification—particularly when combined with ISO 27001—is increasingly listed as a vendor qualification requirement in enterprise procurement specifications in healthcare, financial services, and technology sectors. The compliance improvement from 64% to 90% demonstrated in the TIKD research represents the kind of auditable, evidence-based improvement that satisfies both internal governance boards and external certification auditors.

How long