Treating data protection as an isolated legal file — clauses drafted once, a record of processing activities nobody updates, a privacy notice copied from another website — is the most common way of breaching the GDPR without realising it. Article 24 of Regulation (EU) 2016/679 sets out the principle of proactive accountability: it is not enough to comply, you must be able to demonstrate that you comply, at any moment and before any request from the Spanish Data Protection Agency (AEPD). That demonstration requires exactly what a management system provides and a filing cabinet does not: live procedures, up-to-date records, defined roles, periodic audit and evidence of continuous improvement. The penalties make this clear: Article 83(5) GDPR sets fines of up to €20,000,000 or 4% of global annual turnover — whichever is higher — for the most serious infringements, such as breaches of the principles of processing or of data subjects' rights; Article 83(4) sets up to €10,000,000 or 2% for the remaining obligations, including the security measures of Article 32.
Summum Calidad implements data protection with the same discipline it applies to any ISO management system: through ISO/IEC 27701:2025, the extension of the Information Security Management System (ISMS) of ISO 27001 specifically aimed at managing personal information, known as a PIMS (Privacy Information Management System). ISO 27701 adds distinct controls for controllers and for processors, turns privacy by design and by default under Article 25 GDPR into auditable, verifiable controls, and allows you to demonstrate to clients, business partners and the AEPD itself that your organisation manages privacy through a documented system, not through good intentions. When a company already holds ISO 27001 certification, the project builds directly on the existing risk analysis, Statement of Applicability and audit structure: nothing starts from zero — what already works gets extended.
The integration does not stop at information security. If your company already holds ISO 9001 certification, data protection is incorporated as one more process within the existing quality management system: it shares document control, nonconformity management, internal audit and management review that are already running, instead of living apart in a legal filing cabinet that nobody reviews until there is a problem. And if your company supplies services to public administrations, coordination with the Esquema Nacional de Seguridad (Spain's National Security Framework) is direct: the ENS and the GDPR share a large part of their security measures — access management, encryption, backups, incident management — so addressing them together avoids duplicating documentary work.
The system is only real if it stays alive, and that requires two elements many data-protection projects overlook: internal audit and training. Our internal audit programme periodically verifies that the record of processing activities remains up to date, that privacy notices are correct, that the security-breach management procedure has been rehearsed — not just written — and that ARSULIPO rights requests (access, rectification, erasure, restriction, portability and objection) are resolved within the legal deadline. Periodic staff training, for its part, is one of the controls required by Annex A of ISO 27701 itself, and it reduces the most common cause of security breaches: human error, not sophisticated external attack.
The purely legal layer of compliance — drafting clauses and contracts, legal risk analysis, responding to an AEPD complaint or inspection, or appointing a Data Protection Officer — is provided by our sister division, Summum Consultoría, through its data protection (GDPR) and outsourced DPO services. If what you need is precisely that pure outsourced-DPO service, without the management-system layer, that is the more direct starting point. Summum Calidad comes in when you want data protection to stop living in a drawer and become integrated, with evidence and audit, into your company's management system.