Privacy assessment & remediation
An honest, independent view of where you stand - before someone else finds out first.
When privacy goes wrong, it goes wrong fast.
A regulator investigation. A major customer pulling due diligence. A data breach that turns a technical problem into a board crisis. An investor asking questions you can't answer with confidence. These aren't hypothetical risks - they're the moments that expose the gap between having a privacy programme and having one that actually holds up.
We know what those moments feel like, because we've been there. Our reviews draw on first-hand experience of major incidents and near-misses, board-level privacy leadership, and deep knowledge of what regulators look for and where the real gaps tend to sit.
Does any of this sound familiar?
You've had an incident - or a near-miss - and you're not confident you fully understand your exposure.
You're growing fast, entering new markets, or launching new products, and privacy hasn't kept pace.
You have legacy systems where nobody has a clear picture of what data sits where or what controls actually apply.
A regulator, auditor, major customer, or investor has asked questions you couldn't answer with complete confidence.
You know there are gaps. You just don't know where they are or how serious they are.
How it works
Pick your area - or combine them. Each review is built from three modules: Privacy, Data governance, and Cyber. Commission one, two, or all three. Where you commission multiple modules, each runs as its own workstream - giving you genuine depth in each area - brought together in a single combined report at the end.
Choose your depth. Four levels are available, from a rapid Snapshot to a comprehensive Deep dive. The right level depends on your situation, your urgency, and what you need to do with the output.
Where documentation is limited or incomplete, structured interviews will be needed - in which case an Assessment is the right starting point rather than a Snapshot. We'll advise before we begin.
Our Cyber module covers regulatory and governance advice - not penetration testing, technical security assessment, or managed security services.
The modules
Privacy
How your privacy programme holds up against regulatory expectations - governance frameworks, accountability structures, data flows, consent and tracking, data subject rights, and cross-border considerations. Relevant frameworks include GDPR, UK GDPR, the Data (Use and Access) Act 2025, CCPA, CPRA, LGPD, PIPL, PDPA (Singapore), PDPA (Thailand), PIPA (South Korea), PDPA (Malaysia), KVKK (Turkey), and emerging global requirements.
Data governance
How data is owned, managed, and governed across your organisation - data ownership structures, lineage and flow mapping, data quality, classification, and visibility across systems, marketing, and analytics. Includes application of our KYD (Know Your Data) methodology where relevant.
Cyber governance
How your cyber governance position holds up from a regulatory and organisational perspective - governance frameworks and accountability structures, incident response preparedness, third-party and supply chain cyber risk governance, and alignment between cyber and privacy programmes. Our work is informed by experience across NIS2, the UK Cyber Resilience Act, DORA, and the growing intersection between cyber, privacy, and data governance obligations globally.
The tiers
| Privacy | Data governance | Cyber | |
|---|---|---|---|
| Snapshot | Rapid review of key documentation - policies, notices, consent mechanisms, governance structures. Best where documentation is well developed. | Rapid review of data ownership, governance frameworks, and key data flow documentation. Best where documentation is well developed. | Rapid review of cyber governance documentation - frameworks, incident response plans, third-party governance. Best where documentation is well developed. |
| Assessment | Documentation review plus structured interviews. A fuller picture of how privacy operates in practice across legal, compliance, technology, and the business. | Documentation review plus interviews across data owners, stewards, and key functions. A fuller picture of how data is actually governed day to day. | Documentation review plus interviews across technology, risk, compliance, and relevant business functions. A fuller picture of cyber governance in practice. |
| Extended review | Broader scope - particularly suited to post-incident situations or where privacy intersects with data governance and cyber. Can be mobilised quickly where urgency requires it. | Broader scope - suited to complex data environments, post-incident review, or where data governance intersects with privacy and cyber obligations. | Broader scope - particularly suited to NIS2 readiness, post-incident review, or where cyber governance intersects with privacy and data obligations. |
| Deep dive | Comprehensive review across documentation, interviews, and full analysis. For organisations preparing for a regulatory moment, major transaction, or serious programme rebuild. | Comprehensive review across documentation, interviews, and full analysis. For organisations that need the fullest possible picture of their data governance position. | Comprehensive review across documentation, interviews, and full analysis. For organisations with significant cyber governance exposure or preparing for regulatory scrutiny. |
All tiers are available for individual modules or any combination. Where multiple modules are commissioned, each runs as a separate workstream with a combined report at the end.
What gets delivered
- Snapshot - written findings summary with prioritised recommendations
- Assessment - written report with findings and prioritised remediation plan, presented to leadership
- Extended review - detailed findings report with remediation priorities, presented to leadership
- Deep dive - comprehensive report with findings, risk assessment, and detailed remediation roadmap, presented to leadership
You'll leave knowing exactly where you stand - what the real risks are, what matters most, and what to do about it. Whether you're preparing for scrutiny, dealing with the aftermath of an incident, or simply want to get ahead of a problem before it finds you, you'll have an honest picture and a clear path forward.
Privacy, data governance, and cyber done well isn't just protection. It's the foundation for moving faster, responding with confidence, and turning compliance into commercial advantage.