Data Inventory and Data Flow Analysis

We have created a data asset register that establishes the following:

  • personal identifying information (name, address, email, SIA number, IP address etc)

  • processing (collection, storage, transporting etc)

  • purpose (DBS, screening, credit checks etc)

  • lawful process (contract, legitimate, vital interests, interests of the public, consent)

  • retention and disposal (number of years the personal information is held for)

  • juridiction (inside or outside of the EU)


Any special categories of personal information as defined in the GDPR shall be clearly identified and the appropriate protection applied.



Data Protection Impact and Information Security Risk Assessments

We have established processes for conducting data protection impact and information security risk assessments. Risk acceptance criteria is known and understood, particularly where personal data is concerned where risk acceptance criteria is defined in law, such as high risk activity under GDPR.

We operate  through a concept of "privacy by design" building in data safeguards from the start.

Data protection impact assessments and information security risk assessments are not conducted singularly but shall utilise all of the knowledge and experience we have in the business including any external support we require. Risks shall be evaluated and assessed for risk treatment with risk owners being established. The Data Protection Officer shall co-ordinate the risk process and update the control objectives that we have established in our statement of applicability and formulate the security risk treatment plan.

Data protection impact assessment  (DPIA) is used to systematically analyse, identify and minimise the data protection risks of a particular project, plan or where a process is changed. It is a key part of our accountability obligations under the GDPR.


DPIAs are flexible and scalable tool and can apply to a wide range of sectors and projects. Its objectives are to minimise risk around personal data and privacy.

ISMS & PIMS Objectives

report data breaches to data controllers within 2 hours (where we act as a processor)

report data breaches to the ICO within 72 hours

complete subject access requests to the ICO within 30 days

reduce the number of information or data incidents to zero

reduce the number of information and data complaints

​complying with ISO 27001 & BS10012 requirements

Information and Data Protection awareness training to all staff