GDPR & privacy
Extend the ISMS you already have into a defensible privacy programme. A privacy layer built on your ISO 27001 foundation using the ISO 27701 extension: records of processing, lawful-basis and retention discipline, DSAR handling and data-transfer controls - mapped to the controls you already run.
Independent advisory - not legal advice, and not a certification body.
The ISO 27701 bridge
ISO 27701 is an extension of ISO 27001 - it turns your information security management system into a Privacy Information Management System. Because it builds on the same framework, most of the management system, risk assessment and control work you already have is reused. You are adding privacy-specific controls on top of a foundation that already exists, not standing up a second programme from scratch.
What we do
Each one plugs into work you already run - your risk register, your Annex A controls and your supplier assurance cadence.
Records of processing (RoPA)
A maintained record of processing activities that maps what personal data you hold, why, and where it flows - kept current alongside your ISMS documentation, not as a one-off spreadsheet.
Lawful-basis and retention discipline
Each processing activity tied to a lawful basis, with retention periods that are defined, defensible and actually enforced through your existing control environment.
DSAR handling workflow
A repeatable data-subject-access-request workflow - intake, identity verification, search, redaction and response - so requests are handled inside statutory timeframes rather than improvised each time.
Data-transfer and sub-processor controls
Transfer mechanisms, sub-processor due diligence and contractual controls mapped to your supplier assurance cadence, so international transfers and vendors are governed, not assumed.
Privacy risk mapped to Annex A
Privacy-specific risks assessed and treated against the Annex A controls you already operate, so privacy sits inside your risk register rather than beside it in a separate silo.
Mapped to what you already run
The privacy layer reuses the management system you have already built. Here is where the ISO 27001 foundation carries over and where the ISO 27701 and GDPR additions attach.
Who it is for
Questions
It depends on what your buyers ask for. Many teams only need demonstrable GDPR alignment built on their existing controls; others want the ISO 27701 extension because a certifiable privacy management system is a stronger signal in sales and procurement. We help you decide on a short call rather than assuming the heavier path.
Most of the management system, risk methodology and control work is reused. You are adding privacy-specific controls: records of processing, lawful-basis and retention discipline, a DSAR workflow and data-transfer controls, plus privacy risk mapped onto your existing Annex A. You are extending the ISMS, not starting a second programme.
No. Kellwick provides advisory and management-system work, not legal advice. We help you build and operate the privacy controls and evidence around GDPR; we do not act as your lawyers or provide a legal opinion. Where a legal question arises, we recommend you take qualified legal counsel.
We build the DSAR workflow - intake, identity checks, search, redaction and response templates - and help your team run it. The aim is a repeatable process your people own, so requests are handled consistently and inside statutory timeframes, rather than outsourcing each request.
Scoped on a short call. Pricing depends on the size of your data estate, how much of your ISO 27001 ISMS is already in place and whether you want full ISO 27701 or GDPR alignment. We size the work to what you actually need.
Extend the ISMS you already operate into a defensible privacy programme using the ISO 27701 extension. We scope the work on a short call.
Certification is issued by accredited certification bodies; DORA supervision is performed by regulators. Kellwick prepares you for these processes; it does not perform them and cannot guarantee their outcome. Kellwick provides advisory and management-system support, not legal advice.
Kellwick is an independent advisory practice. We are not a certification body and do not issue ISO certifications. Certification decisions are made only by accredited certification bodies.