[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fX7AwjWuKrr07z7PfQx8DG6cYEcp37ElM37tMUV0o1Lw":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":11,"nbDownloads":12,"excerpt":13,"lang":14,"url":15,"intro":16,"featured":4,"state":17,"author":18,"authorId":19,"datePublication":23,"dateCreation":24,"dateUpdate":25,"mainCategory":26,"categories":42,"metaDatas":91,"imageUrl":92,"imageThumbUrls":93,"id":101},false,"We broke the rule: at Dastra, even the shoemakers have the best shoes.\r\n\r\nData privacy and security have always been at the core of our mission. We are proud to announce that Dastra is now certified ISO 27701, an international standard that attests to our compliance with best practices in data protection management.\r\n\r\nAs a platform specialized in GDPR compliance management, we found ourselves being clients of our own tool. Discover how we walk the talk!\r\n\r\n## 🔒What is ISO 27701?\r\n\r\nThe standard was developed with input from global authorities, including CNIL (France’s data protection authority), AFNOR, and the European Data Protection Board. Its goal: to align data privacy requirements across multiple regulatory frameworks — not only the EU’s GDPR but also the California Consumer Privacy Act (CCPA) and Canadian privacy laws.\r\n\r\nAs a globally relevant standard, **ISO 27701 represents the state of the art in privacy management**. For more, see CNIL's explanation [here](https://www.cnil.fr/fr/liso-27701-une-norme-internationale-pour-la-protection-des-donnees-personnelles).\r\n\r\nAchieving ISO 27701 certification means that Dastra has achieved:\r\n\r\n- A **Privacy Information Management System (PIMS)** that meets strict standards for data governance and confidentiality.\r\n\r\n- **Controls tailored to the processing of personal data**, adapted to our role — most often as a data processor.\r\n\r\n## 📍 Why pursue ISO 27701 certification?\r\n\r\nAlthough Dastra already offers a solid GDPR compliance platform, our team chose to go further.\r\n\r\nThis certification was a **voluntary, proactive step**, demonstrating our alignment with the most demanding international standards in privacy protection — a true marker of organizational maturity and operational rigor.\r\n\r\nIn practice, certification brings:\r\n\r\n- Stronger data security and transparency\r\n\r\n- Reinforced compliance with GDPR and other global regulations\r\n\r\n- Clear governance and robust internal controls\r\n\r\n- A culture of continuous improvement in privacy and security processes\r\n\r\nThis means our clients can rely on a certified partner to help manage and protect their own data.\r\n\r\n## 🧭 Assistance: Should you seek help?\r\n\r\nThe answer depends on your organization’s size, maturity, and internal knowledge of ISO requirements — particularly in audit management.\r\n\r\n| **Criteria** | **Service** \u003Cbr>**(Human Expert)** | **SaaS** \u003Cbr>**(Software)** | **H**ybrid\u003Cbr>**(SaaS + Service)** |\r\n| --- | --- | --- | --- |\r\n| **Strategy Transparency** | Average to good, depending on the provider | Low: \"black box\" logic of the software | Total: clear, explained, personalized approach |\r\n| **Evidence Management** | Average, depending on the provider | Limited: depends on the software's rules | Strong: manual, contextualized selection |\r\n| **Time Saving** | Significant for audits, less for data collection | Very strong for data collection | Balanced: quick but supervised |\r\n| **Certification Quality** | High | Varies - depends on user setup | High (human oversight with audit alignment) |\r\n| **Cost** | Higher | Affordable | Intermediate |\r\n| **Level of required autonomy** | Low: everything is guided | High: depends on the user | Moderate: assistance available |\r\n| **Suitable for SMEs without dedicated resources?** | Yes | Risky if the team is not trained | Yes, with support |\r\n\r\nWe have chosen the **hybrid approach**, in collaboration with [our partner Bastion](https://www.bastion.tech), which greatly simplified the process.\r\n\r\nThis type of assistance, while not mandatory, proves to be particularly strategic—especially in the absence of internal ISO expertise—for several key reasons, as follows:\r\n\r\n![](https://static.dastra.eu/richtext/a76cfa07-a3a6-470d-898f-3ca02a3248cb/anglais-original.jpg)\r\n\r\n## **Key steps in our certification journey**\r\n\r\n![](https://static.dastra.eu/richtext/4f1a1b42-38a3-4f07-bb99-f0b525f3f6e3/anglais-1-original.jpg)\r\n\r\n### 🧩 Step 1: Preparation & Governance\r\n\r\nThe project began two years ago, aiming for **both ISO 27001 and ISO 27701 certifications**. From the start, we set up a steering committee and appointed a lead person responsible for gathering and validating evidence.\r\n\r\nA key success factor: cross-functional governance. Regular meetings brought together leadership, our DPO, and strategic teams — making compliance a company-wide commitment, not just a legal or tech issue.\r\n\r\nWe then assessed our existing systems and identified what was already in place (thanks to Dastra’s own tools: registers, data maps, policies), and what was missing — especially a centralized, audit-ready evidence system.\r\n\r\nThis meant:\r\n\r\n- Identifying what already existed and defining the scope\r\n\r\n- Filling the gaps and analyzing discrepancies\r\n\r\n- Structuring everything into an audit-proof system\r\n\r\n### 🧩 Step 2: Building the PIMS (Privacy Information Management System)\r\n\r\n![](https://static.dastra.eu/richtext/987a1067-3d01-4725-b532-3a2d8d9290da/preparation-en-amont-10-original.jpg)To meet ISO 27701’s requirements, we strengthened our policies and procedures related to personal data, including:\r\n\r\n- Mapping all personal data processing activities\r\n\r\n- Structuring privacy and data subject rights policies\r\n\r\n- Implementing appropriate technical and organizational measures to ensure confidentiality\r\n\r\n💡 A key principle of ISO audits: **what’s not documented doesn’t exist.** It’s not enough to implement good practices — you must prove them clearly and consistently.\r\n\r\n**Examples:**\r\n\r\n- *A security scan isn’t enough on its own. You must show the resulting action (e.g., patch applied, validated, deployed), with screenshots or audit logs.*\r\n\r\n- *At Dastra, automatic data deletion was technically in place — but the absence of a formally documented policy was noted as an area for improvement.*\r\n\r\n![](https://static.dastra.eu/richtext/a2200b37-daeb-4eaf-b9a4-85cc2c7cd3b3/anglais-2-original.jpg)**Policies essential to the PIMS:**\r\n\r\n- **Privacy Policy**: Defines how personal data is collected, used, stored, and protected.\r\n\r\n- **Data Retention Policy**: Specifies the duration of data retention based on its type and purpose.\r\n\r\n- **Data Deletion Policy**: Describes secure methods for data and document deletion or destruction.\r\n\r\n- **Data Classification Policy**: Categorizes data based on sensitivity to adapt protection levels.\r\n\r\n- **Encryption Policy**: Defines rules for data encryption in storage and transmission.\r\n\r\n- **Communication Plan in case of subcontractor changes**: Frames the notification of clients and partners in case of subcontractor changes.\r\n\r\n- **Terms of Service and Sales**: Establishes contractual conditions between the company and its users or clients.\r\n\r\n- **Up-to-date Information Security Management System (ISMS)**: Ensures that all policies are formalized, implemented, updated, and regularly audited.\r\n\r\n### 🧩 Step 3: Internal Audit, pre-validation stage\r\n\r\nBefore the official audit, Dastra conducted an internal audit with our partner Bastion. This allowed us to:\r\n\r\n- Verify that all ISO 27001 + 27701 requirements were effectively covered.\r\n- Identify any non-conformities or missing proof.\r\n- Quickly address outstanding issues.\r\n\r\nThis dry run was critical — it gave us a chance to correct weak points **without pressure**.\r\n\r\n### 🧩 Step 4: Management Review\r\n\r\nThe process concluded with a management review involving all stakeholders—management, compliance manager, technical and product teams. This final meeting allowed us to:\r\n\r\n- Validate all remaining proof collectively.\r\n- Officially confirm compliance objectives had been met.\r\n- Demonstrate strong, informed governance to the auditor.\r\n\r\n### 🧩 Step 5: Certification Audit by an Accredited Body\r\n\r\nAn independent auditor then assessed our systems and confirmed our compliance with ISO 27701.Thanks to our team's efforts and ongoing commitment to data security, **Dastra successfully earned the certification**.\r\n\r\nOur team acknowledges: the journey was long but transformative. Even for a company specialized in compliance, we had to **structure, prove, and formalize** our practices.Technology alone is not enough to earn a certification — it’s the alignment between tools, practices, and governance that does.\r\n\r\n## **🗃️ How Dastra helped simplify proof management**\r\n\r\nAs you may have guessed it, our own platform played a key role throughout the certification process.\r\n\r\nDastra did half the work by centralizing a significant portion of required information: **registers, data maps, policies, and documentation exports** — all in one place.\r\n\r\nWe essentially became our own client — and the tool became essential to meet the complex ISO requirements.\r\n\r\n**Step 1: Maintain an up-to-date Data Mapping**\r\n\r\n- List personal data used across the company\r\n- Map systems and assets that process that data\r\n- Link each asset to its respective sub-processors\r\n- Document the location of those sub-processors\r\n- Collect their security docs, SLAs, and privacy policies via the Contracts module\r\n\r\n**Step 2: Keep an up-to-date Record of processing activities**\r\n\r\n- Document the company's data processing activities\r\n- [Automatically conduct a DPIA (Data Protection Impact Assessment)](https://www.dastra.eu/en/guide/data-protection-impact-assessment-pia-or-dpia/56295) for your high-risk processing activities from the Questionnaire module (PIA template)\r\n- Automatically generate your DPAs (Data Processing Agreements)\r\n\r\n**Step 3: Export a Customized Report**\r\n\r\n- You just need to export the \"Providers and datasets\" report to have your subcontractors, their locations, and the datasets they have access to\r\n\r\n**Step 4: Collect Cookie Consents**\r\n\r\n- Create and publish your cookie policy\r\n- Deploy a consent widget on your website\r\n\r\n**Step 5: Manage Data Subject Rights Requests**\r\n\r\n- Set up your [Dastra Privacy Hub](https://doc.dastra.eu/features/privacy-hubs)!\r\n\r\n### **✅ What we learned from this journey**\r\n\r\n- Certification reinforces a **culture of evidence**, even for compliance experts.\r\n- It forces you to **formalize what’s often implicit**, especially in security and privacy policies.\r\n- It unites teams around a common goal, with **clear ownership and accountability.**\r\n- It reflects a **real, measurable commitment** to privacy and data protection.\r\n\r\n🎯 **In summary**: **ISO 27701 is more than a label.**It’s a strategic commitment that has pushed us — as a compliance platform provider — to hold ourselves to the highest standards of security and privacy.\r\n\r\nAnd our clients can now count on a **certified, proven partner** to help them manage and secure their own data with confidence.\r\n\r\n**Would you like assistance with your ISO 27701 process?**Dastra offers a platform to help centralize your evidence, structure your policies, and document your practices — **built by a team who’s been through it all.**","\u003Cp>We broke the rule: at Dastra, even the shoemakers have the best shoes.\u003C/p>\r\n\u003Cp>Data privacy and security have always been at the core of our mission. We are proud to announce that Dastra is now certified ISO 27701, an international standard that attests to our compliance with best practices in data protection management.\u003C/p>\r\n\u003Cp>As a platform specialized in GDPR compliance management, we found ourselves being clients of our own tool. Discover how we walk the talk!\u003C/p>\r\n\u003Ch2 id=\"what-is-iso-27701\">🔒What is ISO 27701?\u003C/h2>\r\n\u003Cp>The standard was developed with input from global authorities, including CNIL (France’s data protection authority), AFNOR, and the European Data Protection Board. Its goal: to align data privacy requirements across multiple regulatory frameworks — not only the EU’s GDPR but also the California Consumer Privacy Act (CCPA) and Canadian privacy laws.\u003C/p>\r\n\u003Cp>As a globally relevant standard, \u003Cstrong>ISO 27701 represents the state of the art in privacy management\u003C/strong>. For more, see CNIL's explanation \u003Ca href=\"https://www.cnil.fr/fr/liso-27701-une-norme-internationale-pour-la-protection-des-donnees-personnelles\" rel=\"nofollow\">here\u003C/a>.\u003C/p>\r\n\u003Cp>Achieving ISO 27701 certification means that Dastra has achieved:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>A \u003Cstrong>Privacy Information Management System (PIMS)\u003C/strong> that meets strict standards for data governance and confidentiality.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Controls tailored to the processing of personal data\u003C/strong>, adapted to our role — most often as a data processor.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch2 id=\"why-pursue-iso-27701-certification\">📍 Why pursue ISO 27701 certification?\u003C/h2>\r\n\u003Cp>Although Dastra already offers a solid GDPR compliance platform, our team chose to go further.\u003C/p>\r\n\u003Cp>This certification was a \u003Cstrong>voluntary, proactive step\u003C/strong>, demonstrating our alignment with the most demanding international standards in privacy protection — a true marker of organizational maturity and operational rigor.\u003C/p>\r\n\u003Cp>In practice, certification brings:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Stronger data security and transparency\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Reinforced compliance with GDPR and other global regulations\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Clear governance and robust internal controls\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>A culture of continuous improvement in privacy and security processes\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>This means our clients can rely on a certified partner to help manage and protect their own data.\u003C/p>\r\n\u003Ch2 id=\"assistance-should-you-seek-help\">🧭 Assistance: Should you seek help?\u003C/h2>\r\n\u003Cp>The answer depends on your organization’s size, maturity, and internal knowledge of ISO requirements — particularly in audit management.\u003C/p>\r\n\u003Ctable>\r\n\u003Cthead>\r\n\u003Ctr>\r\n\u003Cth>\u003Cstrong>Criteria\u003C/strong>\u003C/th>\r\n\u003Cth>\u003Cstrong>Service\u003C/strong> \u003Cbr>\u003Cstrong>(Human Expert)\u003C/strong>\u003C/th>\r\n\u003Cth>\u003Cstrong>SaaS\u003C/strong> \u003Cbr>\u003Cstrong>(Software)\u003C/strong>\u003C/th>\r\n\u003Cth>\u003Cstrong>H\u003C/strong>ybrid\u003Cbr>\u003Cstrong>(SaaS + Service)\u003C/strong>\u003C/th>\r\n\u003C/tr>\r\n\u003C/thead>\r\n\u003Ctbody>\r\n\u003Ctr>\r\n\u003Ctd>\u003Cstrong>Strategy Transparency\u003C/strong>\u003C/td>\r\n\u003Ctd>Average to good, depending on the provider\u003C/td>\r\n\u003Ctd>Low: \"black box\" logic of the software\u003C/td>\r\n\u003Ctd>Total: clear, explained, personalized approach\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>\u003Cstrong>Evidence Management\u003C/strong>\u003C/td>\r\n\u003Ctd>Average, depending on the provider\u003C/td>\r\n\u003Ctd>Limited: depends on the software's rules\u003C/td>\r\n\u003Ctd>Strong: manual, contextualized selection\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>\u003Cstrong>Time Saving\u003C/strong>\u003C/td>\r\n\u003Ctd>Significant for audits, less for data collection\u003C/td>\r\n\u003Ctd>Very strong for data collection\u003C/td>\r\n\u003Ctd>Balanced: quick but supervised\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>\u003Cstrong>Certification Quality\u003C/strong>\u003C/td>\r\n\u003Ctd>High\u003C/td>\r\n\u003Ctd>Varies - depends on user setup\u003C/td>\r\n\u003Ctd>High (human oversight with audit alignment)\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>\u003Cstrong>Cost\u003C/strong>\u003C/td>\r\n\u003Ctd>Higher\u003C/td>\r\n\u003Ctd>Affordable\u003C/td>\r\n\u003Ctd>Intermediate\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>\u003Cstrong>Level of required autonomy\u003C/strong>\u003C/td>\r\n\u003Ctd>Low: everything is guided\u003C/td>\r\n\u003Ctd>High: depends on the user\u003C/td>\r\n\u003Ctd>Moderate: assistance available\u003C/td>\r\n\u003C/tr>\r\n\u003Ctr>\r\n\u003Ctd>\u003Cstrong>Suitable for SMEs without dedicated resources?\u003C/strong>\u003C/td>\r\n\u003Ctd>Yes\u003C/td>\r\n\u003Ctd>Risky if the team is not trained\u003C/td>\r\n\u003Ctd>Yes, with support\u003C/td>\r\n\u003C/tr>\r\n\u003C/tbody>\r\n\u003C/table>\r\n\u003Cp>\u003Cbr />\r\nWe have chosen the \u003Cstrong>hybrid approach\u003C/strong>, in collaboration with \u003Ca href=\"https://www.bastion.tech\" rel=\"nofollow\">our partner Bastion\u003C/a>, which greatly simplified the process.\u003C/p>\r\n\u003Cp>This type of assistance, while not mandatory, proves to be particularly strategic—especially in the absence of internal ISO expertise—for several key reasons, as follows:\u003C/p>\r\n\u003Cp>\u003Cimg loading=\"lazy\"  src=\"https://static.dastra.eu/richtext/a76cfa07-a3a6-470d-898f-3ca02a3248cb/anglais-original.jpg\" alt=\"\" />\u003C/p>\r\n\u003Ch2 id=\"key-steps-in-our-certification-journey\">\u003Cstrong>Key steps in our certification journey\u003C/strong>\u003C/h2>\r\n\u003Cp>\u003Cimg loading=\"lazy\"  src=\"https://static.dastra.eu/richtext/4f1a1b42-38a3-4f07-bb99-f0b525f3f6e3/anglais-1-original.jpg\" alt=\"\" />\u003C/p>\r\n\u003Ch3 id=\"step-1-preparation-governance\">🧩 Step 1: Preparation & Governance\u003C/h3>\r\n\u003Cp>The project began two years ago, aiming for \u003Cstrong>both ISO 27001 and ISO 27701 certifications\u003C/strong>. From the start, we set up a steering committee and appointed a lead person responsible for gathering and validating evidence.\u003C/p>\r\n\u003Cp>A key success factor: cross-functional governance. Regular meetings brought together leadership, our DPO, and strategic teams — making compliance a company-wide commitment, not just a legal or tech issue.\u003C/p>\r\n\u003Cp>We then assessed our existing systems and identified what was already in place (thanks to Dastra’s own tools: registers, data maps, policies), and what was missing — especially a centralized, audit-ready evidence system.\u003C/p>\r\n\u003Cp>This meant:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Identifying what already existed and defining the scope\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Filling the gaps and analyzing discrepancies\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Structuring everything into an audit-proof system\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"step-2-building-the-pims-privacy-information-management-system\">🧩 Step 2: Building the PIMS (Privacy Information Management System)\u003C/h3>\r\n\u003Cp>\u003Cimg loading=\"lazy\"  src=\"https://static.dastra.eu/richtext/987a1067-3d01-4725-b532-3a2d8d9290da/preparation-en-amont-10-original.jpg\" alt=\"\" />To meet ISO 27701’s requirements, we strengthened our policies and procedures related to personal data, including:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Mapping all personal data processing activities\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Structuring privacy and data subject rights policies\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Implementing appropriate technical and organizational measures to ensure confidentiality\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>💡 A key principle of ISO audits: \u003Cstrong>what’s not documented doesn’t exist.\u003C/strong> It’s not enough to implement good practices — you must prove them clearly and consistently.\u003C/p>\r\n\u003Cp>\u003Cstrong>Examples:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cem>A security scan isn’t enough on its own. You must show the resulting action (e.g., patch applied, validated, deployed), with screenshots or audit logs.\u003C/em>\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cem>At Dastra, automatic data deletion was technically in place — but the absence of a formally documented policy was noted as an area for improvement.\u003C/em>\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cimg loading=\"lazy\"  src=\"https://static.dastra.eu/richtext/a2200b37-daeb-4eaf-b9a4-85cc2c7cd3b3/anglais-2-original.jpg\" alt=\"\" />\u003Cstrong>Policies essential to the PIMS:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Privacy Policy\u003C/strong>: Defines how personal data is collected, used, stored, and protected.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Data Retention Policy\u003C/strong>: Specifies the duration of data retention based on its type and purpose.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Data Deletion Policy\u003C/strong>: Describes secure methods for data and document deletion or destruction.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Data Classification Policy\u003C/strong>: Categorizes data based on sensitivity to adapt protection levels.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Encryption Policy\u003C/strong>: Defines rules for data encryption in storage and transmission.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Communication Plan in case of subcontractor changes\u003C/strong>: Frames the notification of clients and partners in case of subcontractor changes.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Terms of Service and Sales\u003C/strong>: Establishes contractual conditions between the company and its users or clients.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Up-to-date Information Security Management System (ISMS)\u003C/strong>: Ensures that all policies are formalized, implemented, updated, and regularly audited.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"step-3-internal-audit-pre-validation-stage\">🧩 Step 3: Internal Audit, pre-validation stage\u003C/h3>\r\n\u003Cp>Before the official audit, Dastra conducted an internal audit with our partner Bastion. This allowed us to:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Verify that all ISO 27001 + 27701 requirements were effectively covered.\u003C/li>\r\n\u003Cli>Identify any non-conformities or missing proof.\u003C/li>\r\n\u003Cli>Quickly address outstanding issues.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>This dry run was critical — it gave us a chance to correct weak points \u003Cstrong>without pressure\u003C/strong>.\u003C/p>\r\n\u003Ch3 id=\"step-4-management-review\">🧩 Step 4: Management Review\u003C/h3>\r\n\u003Cp>The process concluded with a management review involving all stakeholders—management, compliance manager, technical and product teams. This final meeting allowed us to:\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Validate all remaining proof collectively.\u003C/li>\r\n\u003Cli>Officially confirm compliance objectives had been met.\u003C/li>\r\n\u003Cli>Demonstrate strong, informed governance to the auditor.\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"step-5-certification-audit-by-an-accredited-body\">🧩 Step 5: Certification Audit by an Accredited Body\u003C/h3>\r\n\u003Cp>An independent auditor then assessed our systems and confirmed our compliance with ISO 27701.\u003Cbr />\r\nThanks to our team's efforts and ongoing commitment to data security, \u003Cstrong>Dastra successfully earned the certification\u003C/strong>.\u003C/p>\r\n\u003Cp>Our team acknowledges: the journey was long but transformative. Even for a company specialized in compliance, we had to \u003Cstrong>structure, prove, and formalize\u003C/strong> our practices.\u003Cbr />\r\n\u003Cbr />\r\nTechnology alone is not enough to earn a certification — it’s the alignment between tools, practices, and governance that does.\u003C/p>\r\n\u003Ch2 id=\"how-dastra-helped-simplify-proof-management\">\u003Cstrong>🗃️ How Dastra helped simplify proof management\u003C/strong>\u003C/h2>\r\n\u003Cp>As you may have guessed it, our own platform played a key role throughout the certification process.\u003C/p>\r\n\u003Cp>Dastra did half the work by centralizing a significant portion of required information: \u003Cstrong>registers, data maps, policies, and documentation exports\u003C/strong> — all in one place.\u003C/p>\r\n\u003Cp>We essentially became our own client — and the tool became essential to meet the complex ISO requirements.\u003C/p>\r\n\u003Cp>\u003Cstrong>Step 1: Maintain an up-to-date Data Mapping\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>List personal data used across the company\u003C/li>\r\n\u003Cli>Map systems and assets that process that data\u003C/li>\r\n\u003Cli>Link each asset to its respective sub-processors\u003C/li>\r\n\u003Cli>Document the location of those sub-processors\u003C/li>\r\n\u003Cli>Collect their security docs, SLAs, and privacy policies via the Contracts module\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cstrong>Step 2: Keep an up-to-date Record of processing activities\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Document the company's data processing activities\u003C/li>\r\n\u003Cli>\u003Ca href=\"https://www.dastra.eu/en/guide/data-protection-impact-assessment-pia-or-dpia/56295\">Automatically conduct a DPIA (Data Protection Impact Assessment)\u003C/a> for your high-risk processing activities from the Questionnaire module (PIA template)\u003C/li>\r\n\u003Cli>Automatically generate your DPAs (Data Processing Agreements)\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cstrong>Step 3: Export a Customized Report\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>You just need to export the \"Providers and datasets\" report to have your subcontractors, their locations, and the datasets they have access to\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cstrong>Step 4: Collect Cookie Consents\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Create and publish your cookie policy\u003C/li>\r\n\u003Cli>Deploy a consent widget on your website\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cstrong>Step 5: Manage Data Subject Rights Requests\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Set up your \u003Ca href=\"https://doc.dastra.eu/features/privacy-hubs\">Dastra Privacy Hub\u003C/a>!\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"what-we-learned-from-this-journey\">\u003Cstrong>✅ What we learned from this journey\u003C/strong>\u003C/h3>\r\n\u003Cul>\r\n\u003Cli>Certification reinforces a \u003Cstrong>culture of evidence\u003C/strong>, even for compliance experts.\u003C/li>\r\n\u003Cli>It forces you to \u003Cstrong>formalize what’s often implicit\u003C/strong>, especially in security and privacy policies.\u003C/li>\r\n\u003Cli>It unites teams around a common goal, with \u003Cstrong>clear ownership and accountability.\u003C/strong>\u003C/li>\r\n\u003Cli>It reflects a \u003Cstrong>real, measurable commitment\u003C/strong> to privacy and data protection.\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Cbr />\r\n🎯 \u003Cstrong>In summary\u003C/strong>: \u003Cbr />\r\n\u003Cstrong>ISO 27701 is more than a label.\u003C/strong>\u003Cbr />\r\nIt’s a strategic commitment that has pushed us — as a compliance platform provider — to hold ourselves to the highest standards of security and privacy.\u003C/p>\r\n\u003Cp>And our clients can now count on a \u003Cstrong>certified, proven partner\u003C/strong> to help them manage and secure their own data with confidence.\u003C/p>\r\n\u003Cp>\u003Cstrong>Would you like assistance with your ISO 27701 process?\u003C/strong>\u003Cbr />\r\nDastra offers a platform to help centralize your evidence, structure your policies, and document your practices — \u003Cstrong>built by a team who’s been through it all.\u003C/strong>\u003C/p>\r\n","How to implement ISO 27701 ?","Find out in our article how and why to get ISO 27701 certified ! Should you seek assistance ?",1512,8,"Startup Meets ISO 27701: Behind the Scenes",0,null,"en","implementing-iso-27701-in-a-startup-feedback","As a platform specialized in GDPR compliance management, we became clients of our own tool in our ISO 27701 certification journey. Discover how we walk the talk! ","Published",{"id":19,"displayName":20,"avatarUrl":21,"bio":13,"blogUrl":13,"color":13,"userId":19,"creationDate":22},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-03-31T06:00:00","2025-03-28T10:23:41.9459994","2026-01-23T15:16:39.6275117",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":32},2,"Blog","A list of curated articles provided by the community","blog","#28449a",[33,36,39],{"lang":34,"name":28,"description":35},"fr","Une liste d'articles rédigés par la communauté",{"lang":37,"name":28,"description":38},"es","Una lista de artículos escritos por la comunidad",{"lang":40,"name":28,"description":41},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[43,48,70],{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":44},[45,46,47],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},{"id":49,"name":50,"description":51,"url":52,"color":53,"parentId":27,"count":13,"imageUrl":13,"parent":54,"order":59,"translations":60},20,"Inside Dastra","Go behind the scenes at Dastra: company news, culture, events, team highlights, and the people driving our GDPR solution.","dastra-life","#e3cf68",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":55},[56,57,58],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},3,[61,64,67],{"lang":34,"name":62,"description":63},"Vie de Dastra","Plongez dans les coulisses de Dastra : actualités internes, culture d’entreprise, événements, équipes et engagements. Découvrez qui se cache derrière notre solution RGPD.",{"lang":40,"name":65,"description":66},"Innerhalb von Dastra","Eintauchen in das Unternehmen",{"lang":37,"name":68,"description":69},"Dentro de Dastra","Sumérjase en la empresa",{"id":71,"name":72,"description":73,"url":74,"color":75,"parentId":27,"count":13,"imageUrl":13,"parent":76,"order":81,"translations":82},69,"Expertise","Gain insights from our experts on GDPR compliance, data protection, and privacy challenges. In-depth articles, professional analysis, and real-world best practices.","indepth","#000000",{"id":27,"name":28,"description":29,"url":30,"color":31,"parentId":13,"count":13,"imageUrl":13,"parent":13,"order":12,"translations":77},[78,79,80],{"lang":34,"name":28,"description":35},{"lang":37,"name":28,"description":38},{"lang":40,"name":28,"description":41},5,[83,85,88],{"lang":34,"name":72,"description":84},"Bénéficiez des conseils de nos experts sur la conformité RGPD, la protection des données et les enjeux privacy. Articles de fond, analyses et retours d’expérience métier.",{"lang":40,"name":86,"description":87},"Fachwissen","Entdecken Sie die Artikel unserer DSGVO-Experten",{"lang":37,"name":89,"description":90},"Experiencia","Descubre los artículos de nuestros expertos en Privacy",[],"https://static.dastra.eu/content/a545936e-9a62-444e-a94f-f60d04697caa/visuel-article-14-original.png",[94,95,96,97,98,99,100],"https://static.dastra.eu/content/a545936e-9a62-444e-a94f-f60d04697caa/visuel-article-14-1000.webp","https://static.dastra.eu/content/a545936e-9a62-444e-a94f-f60d04697caa/visuel-article-14.webp","https://static.dastra.eu/content/a545936e-9a62-444e-a94f-f60d04697caa/visuel-article-14-1500.webp","https://static.dastra.eu/content/a545936e-9a62-444e-a94f-f60d04697caa/visuel-article-14-800.webp","https://static.dastra.eu/content/a545936e-9a62-444e-a94f-f60d04697caa/visuel-article-14-600.webp","https://static.dastra.eu/content/a545936e-9a62-444e-a94f-f60d04697caa/visuel-article-14-300.webp","https://static.dastra.eu/content/a545936e-9a62-444e-a94f-f60d04697caa/visuel-article-14-100.webp",59002]