GDPR & ISO 27701 privacy for SaaS companies
ISO/IEC 27701:2025, published on 14 October 2025, is a stand-alone privacy information management system standard. The old edition that required ISO 27001 is withdrawn. So your company can now certify a privacy programme on its own - and answer the questions a security certificate never could.
Kellwick builds the record of processing an enterprise buyer asks for first, stands up DSAR, retention and transfer controls, and hands you a certifiable ISO 27701 PIMS - standalone, or reusing the ISMS you already run.
Building the ISMS underneath it? ISO 27001 readiness →
Can your company show these 5 things?
Why this becomes expensive late
Enterprise EU deals increasingly stall on privacy, not security. The first request is usually for a record of processing, and a company that cannot produce one is answering from behind.
ISO 27001 proves your company protects data. It does not prove you have a lawful basis to hold it, a retention limit, a way to answer an access request, or control over where it is transferred. Those are GDPR questions, and ISO 27701 is the management system that answers them.
Protecting the data is not the same as being able to answer for it.
Where security stops
What ISO 27701 actually is
ISO/IEC 27701:2025 was redrafted as a stand-alone management system standard. Its only normative reference is ISO/IEC 29100, so it no longer depends on ISO 27001. Whether privacy is your first management system or your second, a PIMS covers the same five pieces.
A maintained record of what personal data your company holds, why, on what lawful basis, and where it flows - kept current as part of the management system, not a one-off spreadsheet.
Each processing activity tied to a documented lawful basis, with retention periods that are defined, defensible and actually enforced - not just stated in a policy nobody applies.
A repeatable data-subject-access-request workflow: intake, identity checks, search, redaction and response - so requests are answered inside the statutory timeframe rather than improvised each time.
Transfer mechanisms, transfer impact assessments and sub-processor due diligence mapped to a supplier assurance cadence - so international flows and vendors are governed, not assumed.
Privacy-specific risks assessed and treated through one risk methodology, so privacy sits inside your risk register rather than beside it in a separate silo.
Annex D of the 2025 edition maps the management system to the GDPR, which is what makes ISO 27701 a natural fit for a company selling into the EU. Organisations have until 31 October 2028 to transition to the 2025 edition; certification-body deadlines differ by accreditation body.
What a DPA or enterprise buyer checks
No record of processing (RoPA)
It is the first artefact a privacy due diligence asks for. A shared drive of policies is not a record of what personal data you hold, why, and where it flows.
A certificate treated as a privacy answer
ISO 27001 proves you protect data. It does not prove you have a lawful basis to hold it, a retention limit, or a way to answer an access request. That is a different question.
DSARs handled ad hoc, with no clock
Good intentions are not a workflow. Without an owner, an intake path and a deadline, the statutory clock is missed - and that is the failure a regulator sees.
International transfers not documented
EU personal data reaching US systems needs a transfer mechanism and a transfer impact assessment on paper. A buyer's privacy team will not sign the DPA without it.
Retention undefined, nothing ever destroyed
Data kept indefinitely with no schedule and no destruction evidence is a growing liability that a customer audit and a regulator both probe.
Sub-processors collected, never assessed
A list of vendor PDFs is not oversight. Buyers want a maintained register with the right contract terms and evidence the vendors were actually reviewed.
Quick privacy readiness check
If the answer is not clear, you are not ready. You are hoping the certificate covers it.
Not ready for a full review?
Start with a 2-day Mini Gap Review.
Scoped and priced on a short call. We hand back your top Stage 1 blockers and the single next step that matters most.
Already run ISO 27001?
ISO 27701 does not require ISO 27001 - but if you already run an ISMS, the two are ISO management systems built on the shared Harmonised Structure. Scope, leadership, the risk method, internal audit and management review carry across, so you extend one system rather than stand up a second. The privacy-specific work is the record of processing, lawful basis, retention, DSAR handling and transfer controls.
No ISMS, and no plans for one? That is fine - since the 2025 edition stands alone, a certifiable privacy programme is a real option on its own. See the ISO 27001 hub if you decide to build both.
The honest boundary
What you receive
A direct view of where your company stands on GDPR and ISO 27701 today.
A maintained record of processing activities mapping what personal data you hold, why, on what basis, and where it flows.
The workflows GDPR expects around access requests and how long you keep data.
A structured, buyer-ready view of where personal data goes and who else touches it.
A direct walkthrough with your team: what is defensible, what is missing, and the prioritised path to a certifiable PIMS or demonstrable GDPR alignment.
What a PIMS covers
| Area | What GDPR expects | Common SaaS gap | Kellwick output |
|---|---|---|---|
| Records of processing | A current RoPA a regulator or buyer can be handed | No record of what data is held, why, or where it flows | Maintained RoPA mapped to each activity |
| Lawful basis | A documented basis per processing activity | Basis assumed, so teams answer the same question differently | Lawful-basis register, per activity |
| DSARs | A workflow with an owner and a statutory clock | Ad hoc handling, deadlines missed under pressure | DSAR workflow with intake, search and response |
| International transfers | A mechanism plus a transfer impact assessment | EU data in US systems with nothing on paper | Transfer register + impact assessment notes |
| Retention | Defined periods with destruction evidence | Data kept indefinitely, nothing ever destroyed | Retention schedule reconciled to reality |
The process
You share what you already have: any privacy policies and DPAs, your sub-processor list, ISO 27001 ISMS and evidence if you run one, data-flow notes, DSAR records and retention rules.
We build the record of processing, test lawful basis, retention, DSAR handling and transfers against GDPR and ISO 27701 - and, if you run an ISMS, show how much of the management system carries over.
A RoPA, a DSAR and retention playbook, a transfer and sub-processor register and a prioritised roadmap to a certifiable PIMS or demonstrable GDPR alignment - whichever your buyers actually need.
Before Kellwick
That sentence does not survive a privacy due diligence.
After Kellwick
Book this if
Led by a CQI/IRCA-trained ISO 27001 Lead Auditor
CQI/IRCA ISO/IEC 27001:2022 Lead Auditor trained. IRCA Associate Auditor - ISMS. CQI Practitioner Member - PCQI. 18 years in IT, SaaS, fintech, product and operations.
Kellwick is an independent advisory practice, not a certification body.
Typical starting points
Final scope and pricing are confirmed after a readiness call.
Scoped on a call
SaaS companies that need a fast, external read on GDPR and ISO 27701 exposure before committing to a full programme.
Scoped on a call
SaaS companies building a defensible privacy programme - as a certifiable ISO 27701 PIMS, standalone or on an existing ISMS.
Scoped on a call
Teams that need structured support keeping the RoPA, DSAR cadence and transfer register alive between customer reviews.
This is for you if
This is not for you if
Why Kellwick
Kellwick prepares regulated technology companies for the standards and regulations their customers demand. Privacy work is led by a CQI/IRCA-trained ISO/IEC 27001 Lead Auditor who understands how a SaaS actually processes personal data - the product, the sub-processors, the transfers and the buyer's privacy review behind them.
That matters because GDPR is not a documentation exercise. It is about whether your company can show a lawful basis, a retention limit, a DSAR answered on the clock, and a governed record of where data goes - evidence, not a policy PDF. ISO 27701 is how that becomes a management system you can certify.
FAQ
No. ISO/IEC 27701:2025, published on 14 October 2025, is a stand-alone privacy information management system standard. Its only normative reference is ISO/IEC 29100 - not ISO 27001 and not ISO 27002 - so your company can certify ISO 27701 with or without ISO 27001. The 2019 edition, which was an extension that required ISO 27001, has been withdrawn.
No. ISO 27701 and ISO 27001 are both ISO management systems built on the shared Harmonised Structure, so most of the management-system spine - scope, leadership, risk method, internal audit, management review - carries over. The privacy-specific work is the record of processing, lawful basis, retention, DSAR handling and transfer controls.
No. ISO 27001 proves you protect data. It does not, on its own, prove you have a lawful basis to hold it, a retention limit, a way to answer access and erasure requests, or control over where it is transferred. ISO 27701 covers exactly that ground as a privacy management system.
A PIMS covers records of processing (RoPA), lawful-basis and retention discipline, data-subject access request (DSAR) handling, and data-transfer controls. Annex D of the 2025 edition maps the management system to the GDPR, which is why it is a natural fit for a company selling into the EU.
Organisations have until 31 October 2028 to transition to ISO 27701:2025. Certification-body deadlines differ by accreditation body, so if certification is your goal we confirm the specific dates that apply to your chosen body as part of scoping.
No. Kellwick provides advisory and management-system support - the RoPA, the DSAR workflow, the registers and the ISO 27701 mapping. Legal positions, such as a specific lawful basis or a transfer mechanism, should be confirmed by a data protection lawyer, and we work alongside yours.
From the blog
Records of processing, DSARs, retention and international transfers for SaaS selling into the EU.
Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome.
Build the privacy programme before the buyer's DPA review does.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.