Privacy and security

Data protection from your management system

GDPR is not a folder of templates signed once and forgotten: it is a live obligation that demands evidence, review and continuous improvement. Summum Calidad approaches data protection as a natural extension of your information security management system: we implement ISO/IEC 27701:2025 on top of your ISO 27001, integrate it with your ISO 9001 if you already hold that certification, and sustain compliance with periodic internal audit and ongoing staff training — the same rigour with which we support quality certification, applied to the personal data you process.

RegulationGDPR (EU) 2016/679 · Spanish LOPDGDD (Organic Law 3/2018)
ApproachISO/IEC 27701:2025 on top of your ISMS (ISO 27001), integrable with ISO 9001
ModeManagement system with ongoing internal audit and training

Treating data protection as an isolated legal file — clauses drafted once, a record of processing activities nobody updates, a privacy notice copied from another website — is the most common way of breaching the GDPR without realising it. Article 24 of Regulation (EU) 2016/679 sets out the principle of proactive accountability: it is not enough to comply, you must be able to demonstrate that you comply, at any moment and before any request from the Spanish Data Protection Agency (AEPD). That demonstration requires exactly what a management system provides and a filing cabinet does not: live procedures, up-to-date records, defined roles, periodic audit and evidence of continuous improvement. The penalties make this clear: Article 83(5) GDPR sets fines of up to €20,000,000 or 4% of global annual turnover — whichever is higher — for the most serious infringements, such as breaches of the principles of processing or of data subjects' rights; Article 83(4) sets up to €10,000,000 or 2% for the remaining obligations, including the security measures of Article 32.

Summum Calidad implements data protection with the same discipline it applies to any ISO management system: through ISO/IEC 27701:2025, the extension of the Information Security Management System (ISMS) of ISO 27001 specifically aimed at managing personal information, known as a PIMS (Privacy Information Management System). ISO 27701 adds distinct controls for controllers and for processors, turns privacy by design and by default under Article 25 GDPR into auditable, verifiable controls, and allows you to demonstrate to clients, business partners and the AEPD itself that your organisation manages privacy through a documented system, not through good intentions. When a company already holds ISO 27001 certification, the project builds directly on the existing risk analysis, Statement of Applicability and audit structure: nothing starts from zero — what already works gets extended.

The integration does not stop at information security. If your company already holds ISO 9001 certification, data protection is incorporated as one more process within the existing quality management system: it shares document control, nonconformity management, internal audit and management review that are already running, instead of living apart in a legal filing cabinet that nobody reviews until there is a problem. And if your company supplies services to public administrations, coordination with the Esquema Nacional de Seguridad (Spain's National Security Framework) is direct: the ENS and the GDPR share a large part of their security measures — access management, encryption, backups, incident management — so addressing them together avoids duplicating documentary work.

The system is only real if it stays alive, and that requires two elements many data-protection projects overlook: internal audit and training. Our internal audit programme periodically verifies that the record of processing activities remains up to date, that privacy notices are correct, that the security-breach management procedure has been rehearsed — not just written — and that ARSULIPO rights requests (access, rectification, erasure, restriction, portability and objection) are resolved within the legal deadline. Periodic staff training, for its part, is one of the controls required by Annex A of ISO 27701 itself, and it reduces the most common cause of security breaches: human error, not sophisticated external attack.

The purely legal layer of compliance — drafting clauses and contracts, legal risk analysis, responding to an AEPD complaint or inspection, or appointing a Data Protection Officer — is provided by our sister division, Summum Consultoría, through its data protection (GDPR) and outsourced DPO services. If what you need is precisely that pure outsourced-DPO service, without the management-system layer, that is the more direct starting point. Summum Calidad comes in when you want data protection to stop living in a drawer and become integrated, with evidence and audit, into your company's management system.

The Data protection from your management system process.

The process · four stages
01

Assessment and processing map

We build the record of processing activities (Art. 30 GDPR): what data you process, on what legal basis, for how long, with which processors and sub-processors, and with what information flows between systems and third parties. This is the starting point for everything else.

02

Risk analysis and PIMS controls

We apply the management system's risk-analysis methodology to the identified processing activities, select the applicable ISO/IEC 27701:2025 controls and draft the privacy Statement of Applicability. When a processing activity requires it due to its high risk (Art. 35 GDPR), we carry out a Data Protection Impact Assessment (DPIA).

03

Implementation and evidence

We draft or review privacy notices, data-processing agreements (Art. 28 GDPR) with suppliers and SaaS providers, the security-breach management procedure with the 72-hour deadline of Article 33, the ARSULIPO rights procedure and the staff training plan.

04

Internal audit and continuous improvement

The system enters the internal audit and management review cycle: we periodically verify that controls remain in place and update the system in response to regulatory changes, new processing activities or new tools — including the adoption of artificial intelligence solutions.

What is included

What Data protection from your management system includes.

The operational detail: what we deliver as part of the work and what we keep alive afterwards.

  • Record of processing activities

    Complete inventory under Article 30 GDPR, kept alive and updated with every change.

  • Privacy Statement of Applicability

    ISO/IEC 27701:2025 controls applied or excluded, with documented justification.

  • Security-breach management procedure

    Rehearsed protocol for notifying the AEPD within 72 hours (Art. 33 GDPR) and, where applicable, the data subjects themselves (Art. 34 GDPR).

  • ARSULIPO rights procedure

    Deadlines, forms and traceability for every access, rectification, erasure, restriction, portability and objection request.

  • Data-processing agreements

    Article 28 GDPR clauses reviewed for suppliers, SaaS platforms and sub-processors.

  • Ongoing training and awareness

    Periodic staff sessions, with attendance records as evidence of the control in place.

Frequently asked questions about Data protection from your management system.

Is ISO 27701 certification mandatory to comply with the GDPR?

No. The GDPR does not require any ISO certification as a legal requirement; compliance can be demonstrated in other ways. However, ISO/IEC 27701:2025, as an auditable extension of the management system, is the most solid way to demonstrate to clients, partners and the AEPD itself that data protection is managed through procedures, evidence and continuous review, rather than through a folder of templates signed once.

What is the difference between hiring an outsourced DPO and implementing a data protection management system?

They are complementary, not alternatives. The Data Protection Officer (DPO) is an oversight and advisory role — mandatory in certain cases under Article 37 GDPR and Article 34 of the Spanish LOPDGDD — who monitors compliance and reports to management. The management system (ISO 27701 on top of ISO 27001) is the documentary and control infrastructure the DPO relies on to do that job: without a record of processing activities, without a breach procedure and without internal audit, the DPO has little to oversee. Summum Calidad implements the system; the outsourced-DPO service is provided by Summum Consultoría.

How long does it take to implement ISO 27701 on top of an existing ISO 27001 system?

When the organisation already holds ISO 27001 certification, the project is significantly shorter because most of the risk-management and control infrastructure already exists: typically three to five months. Starting from scratch, with no prior security system, the usual timeframe is six to nine months, depending on the size of the organisation and the number of processing activities.

Does ISO 27701 replace the impact assessment required by the GDPR?

It does not replace it, it structures it. Article 35 of the GDPR requires a Data Protection Impact Assessment (DPIA) when a processing activity is likely to result in a high risk to the rights and freedoms of individuals. ISO 27701 provides the management system's risk-analysis methodology — inherited from ISO 27001 — on which that assessment rests, so the criteria applied are consistent and risk-treatment decisions are documented.

What happens if my company already holds ISO 9001 certification?

Data protection is integrated as one more process within the existing quality management system: it shares document control, nonconformity management, internal audit and management review. This avoids duplicating procedures and significantly reduces the maintenance effort compared with managing GDPR compliance as an isolated legal file.

What happens if a security breach involving personal data occurs?

Article 33 of the GDPR requires notifying the Spanish Data Protection Agency within a maximum of 72 hours of becoming aware of the breach, unless it is unlikely to result in a risk to the rights of the affected individuals; if the risk is high, the individuals themselves must also be informed without undue delay, under Article 34 GDPR. Having an already-rehearsed incident management procedure — one of the controls we implement within the system — is what makes that deadline achievable in practice, not just on paper.