Feature Summary

The Global Data Protection Management System (GDPMS) is a comprehensive Governance, Risk and Compliance (GRC) solution that has been developed against ISO 19600 as a robust framework for full-service Data Protection Management.

The full end-to-end solution is cloud-based using Microsoft SharePoint Online (Office 365) allowing multi-nationals to centralize their data protection efforts and controls with familiarity. It was recently described as "the most comprehensive GRC available to deal with growing cyber-security threats"

As a multi-jurisdictional Data Protection Governance, Risk & Compliance (GRC) Management System, the GDPMS has built-in information privacy and data protection life-cycle management against the laws of more than 80 countries around the world and incident management and data breach notification requirements of more than 161 regulators, making it the most globally aware GRC available.

Parts of your hosted GRC are monitored and managed by our specialist experts in the fields of Law, Record Keeping (Retention Schedules) and Global Politics to ensure that your GDPMS is constantly reviewed and refreshed as new legislation is enacted and record keeping standards change. As recently as 30-days, ago new legislation in the United States regarding Notifiable Data Breach was enacted and in April 2018, the king of Swaziland decided to change the name of the country. See the full list here.

The Nexus is a revolution in global data protection that brings together thousands of Data Protection Experts, Legal Council, and all those things necessary to get compliant and remain compliant. Using advanced telephony, digital imaging, and web-technologies with nearly 100 points-of-presence around the world enabling our experts to work with you as our client and your data subjects.

Simplified planning and implementation make deploying your organisational measures easy, all the hard work has been done for you, straight out of the box. Advanced tools like the interactive Compliance Dashboard keep the technical measures team focused on what needs to be done, with pinpoint accuracy.

Managing the life-cycle of a data subject from collection to destruction with rigor is a complex and daunting task for even the smallest organization. This only compounds with existing customer bases that are geographically distributed and used by various parts of an organization to meet the widespread needs of an organization, such needs are not always the same as the understanding of the customer. The GDPMS - GRC will ensure that data use is complied with and access is controlled accordingly.

The GDPMS - GRC is available in a variety of configurations depending on the industry need and security maturity model of the client organization. It also considers the risk appetite of the organization and can be tailored to meet the desired outcome against all these factors.

The GDPMS - GRC is designed to be managed by one or more DPO's who can engage with various parts of the organization. Built-in Automated Task Review Schedules allow the GDPMS - GRC to interact automatically with various stakeholders and owners as required throughout an exercise or approval task. Each user has a real-time active prioritized task list that will display and update based on the work that is required at any given time. The system is based on doing "what's required when it's required". This extends from simple ongoing management to Security Incident Management and Data Breach Notifications. Instead of not knowing what to do or when to do it. The orchestration against the required laws will enable all participating users to simply "do what's needed when it's needed".

The GDPMS - GRC is functionally divided into a number of key areas of business operation that includes System Administration, Legal & Agreements, Data Subject Management, Record Management, and Security Incidents.

The GDPMS - GRC is not only ISO 19600 compliant as a Risk Management Systems, but it is also built against the relevant legislative requirements, ISO 27002 - Information Security Management Framework and NIST.

Detailed Features Listing

"Out-Of-The-Box" (Version 3.13) in "Diamond GDPMS configuration" will have the following features: (See a list of features by version)

Policies and Standards

  • Information Security Management Framework including:

    • Information Governance Council Policy

    • Intellectual Property Policy

    • Record Management Policy

    • Information Security Policy

    • Social media Policy

    • Human Resources Management Policy

  • Standards for Information Security including:

    • BYOD (Bring your own device/technology) Standard

    • Change Management Standard

    • Cloud Security Standard

    • Cryptography Standard

    • Data Backup Standard

    • Data Privacy Impact Assessment Standard

    • Disaster Recovery Standard

    • Employee Life-cycle Management Standard

    • End User Protection Standard

    • Information Classification & Handling Standard

    • Information Security Risk & Compliance Standard

    • Acceptable Use Standard

    • Logging and Monitoring 

    • Network Security Standard

    • Physical Security Standard

    • Privacy and Personal Data Protection Standard

    • Security Incident Management Standard

    • Third-party Risk Management Standard

    • User Access Management Standard

    • Vulnerability Management Standard

  • Human Resources Management Standard

  • Record Management Standard

  • Social Media Standard

  • The Interactive Compliance Dashboard that marries one-for-one the organisational measures (from the standards) to the technical measures for implementation by the technology team. Track and maintain control with simplicity and pinpoint accuracy.

Additional Supporting Frameworks

  • Project Management Framework for Agile and Waterfall projects to ensure that you are including Privacy by Design into new works together with the required data protection elements such as Data Protection Impact Assessments (DPIA) into your projects from project inception.

  • Record Management Framework to ensure that all your registers and records are retained against the laws applicable in your region of record for each item.

  • Operational Risk Management Framework to provide clarity around the business operations, areas of risk including Risk Appetite and Risk Strategy.

  • Outsourcing and Agreement Management Framework to ensure that your third-parties are performing, reviewed, audited and maintaining your reputation.

  • Data Governance Framework enabling Master Data policies and single-source of truth will make your information management and control more reliable and helps to ensure Privacy by Design principles.

  • Change Management Framework to facilitate change in the organization in a controlled and structured manner. Rules for Change Advisory Board and schedules. Manage the change elements with simplicity.

Processes, Procedures and Work Instructions:

  • 50 graphically represented step-by-step Processes mapped to the controls defined in the standards

  • 45 Work Instructions that detail the steps to achieve the required outcomes for each of the steps in the Processes

  • 57 Supporting documents, Guides, Templates, Forms and Instruction documents

Integrated Registers

  • Business System & Application Management

  • Change Management

  • Contact Management

  • Control Exception Management

  • Cryptographic Key Management

  • Data Classification Management

  • Information Risk Management

  • Mobile Device Management

  • Record Management using the International Administrators & Record Managers Association (ARMA) Information and Source of Truth

  • Removed Information & System Asset Management

  • Vendor (& third-party) Management & Assessment

  • White List Application Management

  • Fully automated Task Review Register to ensure that all reviews are completed from weekly to annually without delay.

  • Automated Data Subject Request & Life-cycle Management with email capture

  • Integrated Data Flow Builder and Management - instantly and automatically map data to applications, agreements, processes

  • Integrated Process Flow Builder and Management

  • Data Protection Impact Assessment (DPIA) Management

  • Legitimate Interests Assessment (LIA) Management

  • Integrated User Management

  • Automated Collection Statement & Privacy Notices generation and publishing

  • Instructions to Processors Management

  • Instructions from Controllers Management

  • Legal Compliance and Agreements Register

    • Automatically ​Generate Controller Agreements

    • Automatically Generate Processor Agreements

    • Automatically Generate Recipient Agreements

  • Regulator Intervention Management

  • Secrecy Undertaking Agreements & Management​

  • Data Subject Fee Management

  • Automatically Capture Data Subject Emails and Replies

  • Customizable Automated Data Subject Request Processes and Responses

  • Personal Data Category Management

  • Built-In Record Management (RMS) for Retention Compliance

  • Automated Security Incident Management

    • Automated Regulator Reporting

    • Notifiable Data Breach Management

    • Automated Data Subject Notification

  • A familiar user interface that uses Microsoft Office 365 (SharePoint Online)

  • Publicly accessible Online Forms

  • Country and Location (Region) Data, Global Regulators (laws and impacts) and Record Management Registers are maintained by our team of experts that specialize in these areas.

Integrated Record Management Schedules

  • Integrated Record Management Schedules ensure that important data is retained

  • Creating Notices and Collection Statements have justifiable retention periods

  • International Standard practices

Data Subject Requests

  • Automated Data Subject Request Management

  • Laws of more than 81 countries

  • Automation process flow to ensure that the request is completed within the allocated time-frame.

Security Incident and Notifiable Data Breach (NDB) Management

  • Regularly Updated Regulator Requirements for Notification of

    • The Regulator or Supervisory Authority​

    • The Data Subjects

    • Credit Reporting Agencies

    • Law Enforcement

  • Automated Notice Generation to all the above parties based on comprehensive rules

  • Automated Workflow to ensure that all reporting and notification tasks are completed as required by the Regulators across all effective regulator jurisdictions

  • Simultaneous notifications to Multiple Regulators based on 

    • Areas of Jurisdictional reach and influence​

    • Areas of Data Subject protection

    • Location of Enterprise or Data Breach

  • Comprehensive and detailed Audit Reports on the status of a breach and the notifications involved

  • Laws regarding notification for more than 160 Global Regulators

    • All EU GDPR Countries​ & UK GDPR

    • All States (with NDB Laws) in the United States

    • *NEW* APRA CPS-234 (Information Security) and CPS-231 Cloud (Third-Party) Management Requirements for Australia (Prudential Regulation) (effective 01-JUL-2019)

  • With a single mouse click, Immediately identify the types of Data Subjects (and Personal Data Categories) that are affected by a Security Incident based on:

    • Applications that are involved​

    • Processing Register Entries

    • Servers affected

    • Type of Incident

    • Regulator rules and Legislative Requirements

    • Data Flow, Consumption and Data Processing 

Email and Report Templates

  • Fully customizable email templates that can be tailored with logos and corporate branding, that integrate with all the systems to produce a seamless experience.

  • All Emails that are sent out are automatically attached to applicable sources to audit purposes and to make operator management easy and complete.

  • Inbound email messages are automatically attached to the case they relate to.

  • Fully customizable report templates that can be tailored with logos and corporate branding.

  • Use any of the predefined reports or create your own from nearly 600 fields.

People Rating

  • The last thing a DPO wants to do is be seen to be complaining about other people that they work with, this creates an immediate conflict for the DPO. Our people rating system allows the DPO to assign tasks to individuals responsible and then the system will monitor their performance and rate them accordingly.

  • Periodical board reports can be generated to identify those people that are "not doing the right thing" based on the current and prior star rating of an employee.

  • If an employee continually demonstrates poor performance, they may need to be retrained or replaced as a heightened risk to the organization.

  • The configurable algorithm behind this process makes it twice as easy to lose stars as it does to gain them. 

  • All People Rating Reporting can be provided to the board or management as part of the GRC without the DPO feeling like they are reporting a co-worker and creating any animosity.

Law Search

  • An amazing super fast law repository search engine that allows both simple and advanced searches to find exactly what you are looking for in an instant.​

Get in touch with us today for a free online demonstration

The Records Management System in the GRC is based on contemporary enhancements to the International Council of Archives (ICA) Principals and Functional Requirements for Records in Electronic Office Environments (ISO 16175), ISO 15489 - Records Management, and ISO 23081 - Records Management processes - Metadata for Records.

The Country and Regional Management System are based on ISO 3166 and ISO 4217.

The GRC is designed to comply with ISO 19600 - Compliance Management Systems

The Policies and Standards are compliant with ISO 27002 - Information technology – Security techniques – Code of practice for information security controls and ISO 31000 - Risk Management. Other ISO Standards used for Risk Assessment in the GRC include ISO 29151 - Information Technology Security Techniques, ISO 29134 - Guidelines for Privacy Impact Assessments and BS 10012 - Personal Information Management and ISO 20000 - Incident Management.

Be the First to Know... Visit & Subscribe to our BLOG

Contact Us

This form is for general inquiries. If you are emailing about an existing case regarding a client that we represent, please reply to any of the email communications that you may have received from us about your matter. If you want to lodge a data subject request with a client that we represent, please visit the Data Subject Request form. You will need to know the Membership ID of the company that you would like to service your request. This information must be published on the contact page of our members website and in their Privacy Policy or Collection Statement.

If you wish to lodge a Data Subject Request regarding our service, our GDPMS ID is UK440000. Only use this code if the request is to be handled by us, that is information we have about you. If you would like to read our Privacy Policy and Collection Statement.










Maizieres Les Metz


Cirie TO



United Kingdom

71-75 Shelton Street

Covent Garden


+44 20 7442-5785

(207) 442-5785

United States

Suite 3377

304 S. Jones BLVD

Las Vegas NV 89107

+1 85 5577-8682

(US/Canada Toll-Free)








Full Service Regions


PO Box 834


NSW 2057

+61 4 6621-2726

(04) 6621-2726

Collection Statement & Privacy PolicyWebsite Cookie Policy | Support Desk

© 2010 - 2019 SPTG LLC, GDPR Forensic Limited. All rights reserved.

Data Protection*Services and are Trademarks of GDPR Forensic Limited (UK) and associated companies.

All prices on this website are EUR/EURO "€" unless otherwise stated.

The star logo and the DPO and CA seals are Trademarks of GDPR Forensic Limited,

unauthorised use is prohibited.