Fintech
Security was certified; privacy was undocumented. A subject access request the team could not answer in time, plus a customer's privacy due diligence, forced the question ISO 27001 does not ask: should you hold this data, and can you prove it?
ISO 27001 proves you protect data. It does not, on its own, prove you have a lawful basis to hold it, a retention limit, a way to answer access and erasure requests, or control over where it is transferred. ISO 27701 extends the certified ISMS into a Privacy Information Management System, reusing most of the management system - but that extension had never been built, so privacy was running on goodwill.
Finding 01
The fintech could not show what personal data it held, why, on what lawful basis, or where it flowed - the first document a regulator or a serious buyer asks for.
Finding 02
Data was kept indefinitely. There was no retention schedule and no evidence anything had ever been destroyed on a defined basis.
Finding 03
There was no workflow, no owner and no clock - which is how the statutory deadline was missed in the first place.
Finding 04
Basis was assumed rather than documented per processing activity, so different teams would have answered the same question differently.
Finding 05
There was no register of international transfers or the safeguards behind them, and sub-processor oversight was informal.
Finding 06
Security controls existed, but privacy risk was never mapped onto them, so the two programmes did not reinforce each other.
The fintech cleared its DSAR backlog, answered the customer's privacy due diligence with a record of processing and a retention schedule, and had a defensible privacy programme built on its existing ISO 27001 base. Kellwick provides advisory and management-system support, not legal advice; a data protection lawyer signs off the legal positions.
ISO 27001 proves you protect data; GDPR asks whether you should hold it, for how long, and whether you can answer for it. ISO 27701 bolts the second question onto the first without starting the management system again.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.