SaaS
Handling health data raises the GDPR bar sharply. The team had ISO 27001 security in place but no lawful-basis, retention or DSAR discipline for the most sensitive data category there is.
Special-category data (health) triggers stricter GDPR conditions: a specific lawful basis and an additional condition, tighter retention, and careful handling of access and erasure. ISO 27001 secured the data well, but the lawful basis, retention rules and DSAR workflow for special-category data were undefined - the exact areas a regulator and a health-sector buyer probe hardest.
Finding 01
The additional condition required to process health data lawfully had never been identified or recorded per processing activity.
Finding 02
Health data was kept without a retention schedule or destruction evidence - a serious exposure for special-category data.
Finding 03
There was no process to locate, disclose or erase special-category data within the statutory deadline.
Finding 04
High-risk processing of health data had no Data Protection Impact Assessment behind it.
Finding 05
The certified controls existed but were not linked to the heightened privacy risk of the data.
The platform could show a customer and, if asked, a regulator a defensible privacy program for special-category data - lawful basis, retention, DSAR handling and a DPIA - built on its ISO 27001 base. Advisory and management-system support only, not legal advice; legal positions were confirmed by a data protection lawyer.
Special-category data raises the GDPR bar sharply. Strong security is necessary but not sufficient - the regulator wants the lawful basis, the retention limit, the DSAR path and the DPIA, and ISO 27701 is how you build them on the ISMS you already have.
These are representative engagements - detailed, realistic walkthroughs built from the ISO 27001 failure patterns we see most often, not accounts of specific named clients. Certification is always decided by an accredited certification body; we prepare teams for it and never guarantee the outcome.
Certification is performed by an accredited certification body through Stage 1 and Stage 2 audits. Kellwick prepares you for that process; it does not perform it and cannot guarantee its outcome.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.