Privacy gap assessment
We analyse your organisation's personal data processing inventory, identify gaps against ISO 27701:2025 requirements and applicable data protection law, and prioritise the actions with the highest GDPR impact.
ISO 27701:2025 turns your GDPR compliance into an auditable, certifiable system. If your organisation processes personal data from customers, employees or suppliers, this standard demonstrates to third parties that you manage it with rigour.
The 2025 edition of ISO 27701 represents a fundamental shift: the standard is no longer an extension of ISO 27001 but an independent standard with its own management clauses and 78 controls focused exclusively on privacy. This means your organisation can certify a Privacy Information Management System (PIMS) without first holding ISO 27001 certification, although both standards remain fully compatible and complementary. Organisations already certified under the 2019 edition have until October 2028 to complete the transition.
In practice, ISO 27701 systematises everything that the GDPR demands but does not detail how to achieve: documented legal bases, records of processing activities, Data Protection Impact Assessments (DPIAs), data breach management, data processor agreements and data subject rights procedures. Annex D of the standard maps each control to the corresponding GDPR article, meaning that passing a third-party audit under ISO 27701 is equivalent to demonstrating a high level of maturity against any inspection by a data protection authority.
Summum Calidad guides your organisation from the initial gap assessment through to the certification audit. We do not issue the certificate ourselves: certification is granted by an ENAC-accredited body (AENOR, Bureau Veritas, SGS or others). Our role is to ensure you reach that audit with a fully implemented, documented and tested system. With more than 200 ISO certifications supported since 2007 across Castilla y León and the Canary Islands, we know what auditors look for and how to prevent last-minute gaps from delaying your certificate.
We analyse your organisation's personal data processing inventory, identify gaps against ISO 27701:2025 requirements and applicable data protection law, and prioritise the actions with the highest GDPR impact.
We draft and tailor your corporate privacy policy, records of processing activities, data subject rights procedures and breach response protocol. We design all 78 standard controls adapted to your operational reality.
We train internal privacy owners and the DPO (in-house or external) on using the system. We conduct a full internal audit that simulates the certification audit and close all non-conformities before the accredited body visits.
We coordinate the audit with your chosen certification body and act as technical support throughout the audit days. Once the certificate is issued, we support you through annual surveillance audits and the three-year renewal cycle.
The operational detail: what we deliver as part of the work and what we keep alive afterwards.
ISO 27701:2025 gap assessment
Initial status report with quantified gaps against the standard's requirements and GDPR, including a prioritised roadmap.
Records of processing activities
Creation or review of the full RPA (controller and processor) covering legal basis, retention periods and international transfers.
Privacy policy and controls
Corporate privacy policy, data subject rights procedures, privacy notices and data processing agreements.
Data Protection Impact Assessment (DPIA)
Methodology and execution of DPIAs for high-risk processing: video surveillance, profiling, sensitive data or large-scale processing.
Breach management and incident response
Detection protocol, notification to the supervisory authority within 72 hours and communication to data subjects, aligned with GDPR Articles 33 and 34.
Internal audit and pre-certification review
Documented internal audit with a non-conformity report and a certification audit simulation before the accredited body's visit.
Privacy does not live in isolation: it connects with information security management (ISO 27001 from Summum Calidad), with the external DPO role and data governance (Summum Consultoría), and with the technical implementation of controls across infrastructure and systems (Summum Sistemas).
ISO 27001 is the information security foundation on which ISO 27701 can be built; both standards share structure and controls, and integrating them reduces audit cost and effort.
View service → consultoríaIf your organisation needs a Data Protection Officer but lacks internal resources, Summum Consultoría's external DPO service covers that mandatory role while the PIMS is being implemented.
View service → consultoríaData governance establishes quality, lifecycle and ownership policies for information; a mature governance programme directly strengthens the privacy controls within the PIMS.
View service →No. The 2025 edition makes ISO 27701 a standalone standard: you can certify the PIMS without holding ISO 27001. If you already have ISO 27001, integrating both standards is straightforward and reduces the audit burden, but it is no longer a mandatory prerequisite.
ISO 27701 is not a GDPR certification mechanism in the sense of Article 42 of that regulation, but it demonstrates a very high level of maturity in privacy management. Annex D of the standard explicitly maps each control to the corresponding GDPR article, which makes it much easier to demonstrate to a supervisory authority that processing activities are carried out in accordance with the law.
For an SME or mid-market organisation starting from scratch, the full process — gap assessment, PIMS implementation, internal audit and certification audit — typically takes between 5 and 8 months. If the organisation already holds ISO 27001 or has a structured privacy programme in place, the timeline may be shorter.
The official transition deadline is October 2028. However, we recommend planning the migration well in advance to avoid pressure at renewal audits. The new version strengthens controls around AI and digital ecosystems, areas of growing relevance for any organisation.
ISO 27701 does not formally require a DPO, but the privacy management system it defines needs a privacy function with clearly assigned responsibilities. If your company is required by the GDPR to appoint a DPO, that role fits directly into the PIMS structure. Our team can advise you on whether a DPO is mandatory in your specific case.