Contact Details
Tel: +44 (0) 845 051 0361
Fax: +44 (0) 845 280 1501

Acuity Group Limited
Tower 42
25 Old Broad Street
London EC2N 1HN
United Kingdom

Data Privacy


5 Key Messages
to accelerate Success
In your compliance journey

Get instant access to our free guide now to learn the secrets to building an effective and successful compliance program in your business

Data Privacy

Data protection (regulation and act)

The spirit of the General Data Protection Regulation (GDPR) is the protection of personal data of a natural person.

GDPR focuses on providing both privacy and protection of personal data. Whilst the majority of the market focuses on the former via legal policy and audit of legacy data, the Acuity Compliance Management System (ACMS) ensures that both aims are addressed avoiding potential risk of negligence. We ensure that administrative control requirements of GDPR including security are met by delivering immediate sustainable change based upon an ICO approved ISO27701 information security platform.

GDPR requires the mapping of personal data types across the business with a view to identifying the relationship it has with it – either as internal controller or processor. This will provide an in-depth understanding of how and why personal data is accepted into the business and the treatment of that personal data throughout the business once it is received

Our data mapping will identify the logical and physical containers. It will also identify where the data moves within the organisation, and whether or not it is shared with others.


Risks arise in 3 pillars:

  • protection around the personal data that resides in those containers (security)
  • the ethical behaviour of how we interact with that personal data, and
  • understanding the collective rights of the data subject

Protection and security of the personal data

Addressed by an organisation’s alignment to ISO27701 good practice guidance. ISO27701 will establish up to 114 controls that will protect the information that resides in the logical and physical containers. That programme may need to be uplifted where specific GDPR requirements exceed that of 27701 controls.

The other two pillars

Approached by a mapping exercise of the GDPR requirements. This will enable you to identify the articles, defined by recitals, and where fines are specifically associated to recitals. This will help you to prioritise which procedures need to be addressed first.

Policies, Controls & Procedures

These will ensure the protection of the data and the mitigation of fines under the GDPR. Once all procedures for the pillars of risk are written, you will be able to leverage the ISO27701 framework and established an Enterprise Risk Management (ERM) inclusion for the board.


Complete your Privacy Impact Assessments (PIA), which will define the ‘Value’ of the personal data your holding. Integrate the PIAs into a Data Protection Impact Assessment (DPIA), which will help define the overall risks and the assignment of Controls / Procedures.


GDPR continues onwards after May 2018. It would be right to continue to raise the budgeting challenge, as this may require administrative procedures, which supports your onwards business as usual needs. 

Key risks in terms of resource relate especially to your supply chain and regional offices. The work involved in reviewing supplier agreements and ensuring the security of your data once it has been shared, will be extensive.

Acuity GRC consultancy services

Acuity GRC SaaS Products

Almost there,
Just 1 final step... Get Your Free Guide

'5 Key Messages
to Accelerate Success'

We hate SPAM (every bit as much you probably do!) and promise to keep your email address safe!