Data protection (regulation and act)

The spirit of the General Data Protection Regulation (GDPR) is the protection of personal data of a natural person.

GDPR focuses on providing both privacy and protection of personal data. Whilst the majority of the market focuses on the former via legal policy and audit of legacy data, the Acuity Compliance Management System (ACMS) ensures that both aims are addressed avoiding potential risk of negligence. We ensure that administrative control requirements of GDPR including security are met by delivering immediate sustainable change based upon an ICO approved ISO27001 information security platform.

GDPR requires the mapping of personal data types across the business with a view to identifying the relationship it has with it – either as internal controller or processor. This will provide an in-depth understanding of how and why personal data is accepted into the business and the treatment of that personal data throughout the business once it is received

Our data mapping will identify the logical and physical containers. It will also identify where the data moves within the organisation, and whether or not it is shared with others.


Risks arise in 3 pillars:

  • protection around the personal data that resides in those containers (security)
  • the ethical behaviour of how we interact with that personal data, and
  • understanding the collective rights of the data subject

Protection and security of the personal data

Addressed by an organisation's alignment to ISO27001 good practice guidance. ISO27001 will establish up to 114 controls that will protect the information that resides in the logical and physical containers. That programme may need to be uplifted where specific GDPR requirements exceed that of 27001 controls.

The other two pillars

Approached by a mapping exercise of the GDPR requirements. This will enable you to identify the articles, defined by recitals, and where fines are specifically associated to recitals. This will help you to prioritise which procedures need to be addressed first.

Policies, Controls & Procedures

These will ensure the protection of the data and the mitigation of fines under the GDPR. Once all procedures for the pillars of risk are written, you will be able to leverage the ISO27001 framework and established an Enterprise Risk Management (ERM) inclusion for the board.


Complete your Privacy Impact Assessments (PIA), which will define the ‘Value’ of the personal data your holding. Integrate the PIAs into a Data Protection Impact Assessment (DPIA), which will help define the overall risks and the assignment of Controls / Procedures.


GDPR continues onwards after May 2018. It would be right to continue to raise the budgeting challenge, as this may require administrative procedures, which supports your onwards business as usual needs.

Key risks in terms of resource relate especially to your supply chain and regional offices. The work involved in reviewing supplier agreements and ensuring the security of your data once it has been shared, will be extensive.

Please click EXTERNAL DPO for more information.

Skills Development

The Acuity Group methodology is based on the principle that the client investment should improve the internal capability of the organisation in terms of knowledge.


Effective communication is the process of changing ideas, data and information into knowledge, and is one of the critical means by which we are able.


In addition to implementing Acuity Group services and products, Acuity consultants can be engaged to consult on a variety of related issues including; support for Integrated Management Systems.

Foresight for responsible management