Privacy and Security Architecture

Department for Education (DfE) Leading of Security and Data Protection Assurance and improvement
  • 10  Projects Authority to Operate and GDPR
  • National Coverage
  • Thousands of teaching candidate personal data record.
  • Multiple Data Sharing
  • DPA
  • Third Parties
  • Multiple Data Journeys
  •  Assurance and Accreditation
  • Consolidation
  • ATO Improvement
  • Security of Cloud
  • Offshoring Approval
  • Must have ATO by Security and Departmental DPO before go live.
  • IT HealthCheck  Scoping and remediation

We helped the DfE with about 10 projects towards achieving  security and data protection assurance with their internal security and data protection assurance process.

This included, mapping personal data, analysing, data usage, and the security of thousands of teacher candidate’s personal data.  Working with project teams, developers, technical architects, product managers and DfE’s suppliers to ensure security designs met the HMG standards, requirements of the GDPR and Data Protection Act 2018, including NCSC’s 14 Cloud Security Principles, Functional Security Standards.


  • We identified and corrected a number of issues with GDPR/DPA2018 issues.
  • Identified and documented circa 40 security issues, which were discussed and made  improvement recommendations to senior stakeholders.
  • Resolved a number of issues with existing, documentation, processes and compliance.
  • Made a number of recommendations to improve the ATO process.
  • Resolved legal issue with a DfE supplier that was incorrectly understood by the a major global software house. This included leading conversation with the software supplier European Legal Counsel.
  • Provided an enterprise view of data journey, which included, efficiency and improvements to data sharing.
  • Carried out a number of DPIAs, improved existing DPIAs
  • Drafted Data Sharing Agreements
  • Drafted a number of privacy notices
Delivered an Integrated into Security and Privacy Architecture for the MoD on behalf of Captia. ​
  • Three national forces
  • National coverage
  • 5M  candidate personal data record.
  • Multiple data journeys
  • £1.3bn Transformation Programme
  • Secure private cloud hosting
  • Must meet stringent government and MOD security standards
  • Must be security accredited before go live.
  • Protective monitored
  • NCSC IT Healthcheked

We were in charge of the Data Protection for the MOD’s RPP programme.

Working with the three services, RAF, Army and Navy to ensure their data protection requirements were integrated into security and privacy architecture. This included the design, implementation of the requirements into the end to end recruitment journey for 5 million recruits.

Followed by working with developers, software and web developers to ensure the UX design ensured that the data collected and processed was  done according to the requirements of the data protection law.

Although, it was pre GDPR, we were able to foresee the GDPR and implement data protection and security by design by taking an integrated privacy and security architecture approach.

We successfully delivered an integrated security and privacy architecture for the three services and had the security and privacy accredited by the MOD accreditor.

  • Managed senior security and data protection work streams.
  • Managed relationships with stakeholders from the three services
  • Worked with data architects to ensure data retentions and journeys are automated and aligned to candidates progress.
  • Worked with developers and architects on technical design
  • Security and Privacy Design Authority for the Programme.
  • Worked with developers to help with developer with UX design to ensure the correct and minimum data was being captured.

Full GDPR implementation programme for Phlexglobal - the global market leader in clinical trials management.
  • Global market leader in clinical trials management.
  • Global organisation with some of the largest Pharmaceuticals as customers.
  • Provided GDPR and PECR Readiness Assessment.
  • Provided end to end GDPR programme implementation
  • Worked with the board and international lawyers
  • Highly sensitive personal and medical data.
  • Worked with teams in the UK, US, Poland and Asia.
  • Drafted multiple DPAs
  • Negotiated with international legal counsels frombig pharma companies on amendments to DPAs.
  • Carried out DPIA and LIAs
  • Created ROPA
  • Privacy Notice
  • Data Retention Policy & Schedule
Scroll to top