Data, Cyber Risk & Compliance

Cyber security and operational resilience are conditions for success and safety in the digital world. The size of the benefits that organisations take from increased connectivity with staff, customers and supply chain partners through digital channels is matched only by the size of the cyber security risks that they are exposed to in the ordinary course of business. These risks need to be understood and balanced in order to keep the organisation and its stakeholders safe from harm.

We help clients to understand and respond to cyber security risks in a manner proportionate to the unique circumstances of the organisation and the threats facing them. Our services include:

• Cyber security vision and strategy development.
• Transformation support, including project management.
• Designing and embedding of standards, controls and risk management frameworks.
• Maturity and operational resilience assessments, including benchmarking.
• Threat and vulnerability assessments, including vendor risk management.
• Security awareness training and business culture change.

Compliance is an ongoing requirement, not a moment in time activity, and organisations have to be able to prove that their compliance programmes are enduring. We help clients to sustain their compliance and to demonstrate they are doing so, to the requisite level of proof. Our support includes:

• Advice on legal and regulatory developments, trends and hot topics, to help keep clients' compliance activities focused, up to date and on track.
• Provision of compliance toolkits, including all of the artefacts that are needed for accountability purposes, such as privacy and security by design frameworks; governance and operating models; risk assessment frameworks; policies, notices and contracts; controls libraries; playbooks and workflows.
• Diagnostics for the assessment of operational and legal maturity and resilience levels and gap analysis.
• Training and awareness services, including e-learning platforms and online courses.
• Independent testing and monitoring of compliance levels, including audit and security penetration testing.
• PrivacyTech and SecurityTech strategy development, selection and deployment, to boost productivity and reduce legal risk.
• Staff augmentation, including the provision of data protection officer and EU representative services.
• Managed Services for compliance, helping clients to sustain their programmes on both an outsourced and co-sourced basis.

The scope and reach of the data subject rights have been significantly increased by the GDPR and other legislative developments, as has public awareness of the rights and how to use them. Organisations are experiencing increased volumes of rights requests and in some cases they are being used to support other complaints and legal action. We have extensive experience of dealing with the most complex rights requests, as external advisors on points of law and practice through to the provision of end-to-end managed services. Our support includes:

• Approach optimisation, to help clients to improve their processes and methodologies for the efficient and quick handling of rights requests, to minimise costs and disruption to their business, while maximising legal compliance levels.
• Toolkit development, including the provision of materials that can be incorporated into rights handling models, such as workflows; risk matrices; policies; guidance notes; template response letters; and other key correspondence.
• Staff augmentation, to provide you with surge capacity during busy times and crunch points.
• Managed Services, where we handle the rights request from receipt, through data collection, triaging and delivery of the required information, or from any stage in the process where you will benefit from outsourcing.
• PrivacyTech strategy and deployment, to help you to select the right technology partner for data search and retrieval, analytics, workflow management and process automation.

Many organisations are required by law to appoint a data protection officer and others have elected to do so, while in some cases it is a legal requirement to appoint an EU representative.  Our support in these areas includes:

• Target Operating Model design and advice, to ensure that DPOs and representatives are properly resourced, skilled and tasked as well as situated in the best business location or function to ensure optimised service delivery and legal compliance.
• Outsourced services, where we can act as your DPO or your representative, to be the impartial check on your organisation's compliance.
• Toolkit provision, so that the DPO and representative have the right materials at hand to perform their roles.
• Staff augmentation to give your DPO and representative additional capacity whenever needed.

Many organisations have acquired or inherited data protection and cyber security risks through their relationships with third parties, including through M&A activity and the building of their supply chains. Often the nature of third party risks are misunderstood, due to inadequate due diligence procedures, putting organisations at operational and legal risk.

Our approach to the assessment and management of third party risks helps clients to improve their operational resilience and to maximise deal value in M&A and investment situations. Our support includes:

• Advising acquiring organisations, venture capital firms, private equity firms and investors on the risk profiles of target organisations.
• The development and performance of fit-for-purpose due diligence frameworks for deal situations.
• The development of supplier and vendor risk management frameworks, including risk scoring and entity segmentation and categorisation; step-by-step procedural requirements; contract formation and re-papering; and post-contractual due diligence.
• Operational testing of third party resilience, including penetration testing and auditing.
• Reputation and identity scoring and monitoring.
• Dark web monitoring.

Success in data protection and cyber security is contingent on understanding and mastering the issues that arise in the technology and data layers of the organisation and through the use of complex data processing techniques. Our support includes:

• Functionality analysis, to understand the operational and legal benefits and challenges that are involved in the use of use of new technologies and complex processing techniques, including the performance of risk assessments.
• Assistance with privacy and security by design for new technologies and complex processing techniques, to maximise operational resilience and legal compliance, including the development of technology and data strategies and the creation of technology reference architectures.
• Advice on the state of the art, to help clients to make informed decisions on the deployment of new technologies and processing techniques.
• Product design and market making, to assist technology and data companies with the development of new products and services and roll out.