Data Security & Privacy

Data Discovery, Mapping & Classification

Before data can be protected, it must be understood. We help you locate and map sensitive data across your systems, cloud services, and third-party providers. Using automated scanning tools and business interviews, we classify data by type, sensitivity, and regulatory relevance.

Data Protection Impact Assessments (DPIAs)

DPIAs are mandatory under GDPR for high-risk processing. We lead you through DPIA scoping, stakeholder engagement, risk analysis, and documentation to ensure legal defensibility and good privacy hygiene.

Data Loss Prevention (DLP)

We help you design and implement DLP strategies that monitor and control sensitive data movement across email, endpoints, cloud, and internal systems. Whether you're using Microsoft Purview, Symantec, Forcepoint, or a custom setup, we tailor controls to fit your context and culture.

Encryption Strategy & Key Management

We design encryption solutions for data at rest, in transit, and in use. This includes key management system (KMS) reviews, cloud-native encryption configurations, hardware security module (HSM) integration, and guidance on cryptographic algorithms based on risk and compliance requirements.

Third-Party Data Risk Management

Your vendors may process or access sensitive data. We assess third-party security and privacy risks through audits, questionnaires, contract reviews, and ongoing monitoring, helping you meet GDPR, ISO 27701, and NIST supply chain requirements.

Privacy Governance & Operationalisation

Privacy isn’t just legal—it’s operational. We help embed privacy into day-to-day business activities by creating or refining your data protection policies, training programmes, breach workflows, and data subject request (DSR) handling procedures.

• Preparing for or responding to a GDPR / ICO audit.

• Planning a new system or service involving sensitive or customer data.

• Experiencing regular data leaks or shadow IT risks.

• Struggling with unmanaged third-party access to data.

• Moving data to cloud or cross-border environments and unsure of the legal implications.

Then we conduct risk and maturity assessments, develop controls tailored to your data lifecycle, and implement or support the operationalisation of those controls. For high-risk processing, we deliver DPIAs and privacy engineering recommendations. Where technical controls are required, we integrate encryption, DLP, and access controls within your existing infrastructure, ensuring cost-effective compliance and real-world protection.

• UK GDPR & DPA 2018

• ISO/IEC 27701 – Privacy Information Management

• NIST SP 800-53 / 800-122 – Data protection and confidentiality

• PCI DSS v4.0 – Cardholder data protection

• HIPAA / CCPA – For sectoral and international alignment

• Data Flow & Inventory Map – End-to-end visualisation of data lifecycle

• Data Classification Scheme – By type, owner, and risk category

• DPIA Documentation Pack – Fully scoped and signed-off templates

• DLP Configuration Review or Deployment Plan

• Encryption & Key Management Review Report

• Third-Party Risk Register – Vendor tiering and risk status

• Privacy Governance Framework – Policies, roles, breach response plans

• Varonis, Netwrix, Microsoft Purview for data discovery and classification

• Forcepoint, Symantec, or Microsoft for DLP

• AWS KMS, Azure Key Vault, Thales HSM for encryption and key management

• OneTrust, TrustArc, or custom DPIA tooling

• Open-source tools for manual audits and reviews

• Identify data protection officer or privacy lead (if available)

• Provide system and application inventories

• Grant access to relevant data stores or cloud services (read-only)

• Share current data protection policies and processing activities

• Data Mapping & Classification: 2–3 weeks

• DPIA Completion: 1–2 weeks

• DLP Strategy & Implementation Plan: 2–4 weeks

• Third-Party Risk Assessment: Ongoing or 2–3 weeks for initial pass

Milestones:

1. Data Discovery & Business Interviews

2. Technical Scanning and Mapping

3. Risk & Regulatory Impact Assessment

4. Draft Controls and Governance Plan

5. Final Documentation & Optional Remediation

• Risk: Sensitive data stored in unknown systems (shadow IT)
  Mitigation: Data discovery scans and staff engagement interviews

• Risk: Inadequate response to data subject access requests (DSARs)
  Mitigation: Standardised workflows and response playbooks

• Risk: Overly complex encryption strategies hinder access
  Mitigation: Align encryption with user workflows and recovery options

• Risk: Third-party processors are non-compliant
  Mitigation: Risk-tiered vendor assessments and contractual controls

Q: What’s the difference between data privacy and data security?
Privacy focuses on how and why data is used and shared, while security protects it from unauthorised access or loss. You need both.

Q: Do I need DPIAs for every system?
No. Only for processing likely to result in a high risk to individuals. We help assess whether it’s necessary.

Q: How do I know if I’m sharing too much data with vendors?
We help you map data flows and assess contracts, then recommend controls like pseudonymisation, encryption, and access restrictions.

• Data Discovery & Classification: From £4,000

• DPIA Support: From £1,500 per assessment

• DLP Strategy & Setup: From £5,500

• Encryption/Key Management Review: From £3,000

• Privacy Governance Framework: From £4,500

Monthly Advisory or Retainer Packages also available for ongoing compliance and breach readiness.