The RSI Security site breaks down the measures in a few detail, but the procedure in essence goes similar to this: This allows all organizations—from significant providers to startups and smaller and medium enterprises, which may not have the requisite security infrastructure and employees—to remain guarded and PCI DSS compliant. https://www.nathanlabsadvisory.com/iso-27701-privacy-information-management-system-pims.html