Skip to main contentSkip to footer
020 8720 7126
contactus@stratiformis.co.uk
Stratiformis Consulting Ltd, 6th Floor, 37 Lombard St, London, EC3V 9BQ

GDRP – End to end design and implementation

The Challenge
Two of our global insurance clients required expertise and support to perform a comprehensive GDPR gap analysis across their operational and technology landscape, followed by shaping and establishing a forward-looking remediation programme. Both organisations had large and complex technology estates, including 100+ applications and platforms processing personal data, and needed a focussed approach to assess their GDPR exposure, prioritise remediation, and embed effective privacy controls aligned with expectations from the ICO. Key challenges included:

  • Application sprawl – A large, evolving inventory of legacy and modern applications with varying levels of documentation and ownership.
  • Unclear data landscape – Limited visibility and inconsistent understanding of where personal data resided, how it flowed, and who was accountable.
  • Prioritisation difficulty – Need to focus effort on the highest-risk applications based on sensitivity and volume of personal data.
  • Resource and time constraints – Requirement to rapidly assess a large operational and technology estate and produce an actionable roadmap.

Our Approach
Working with the C suite (CIO and COO), along with main stakeholders from Technology, Info Security, Legal and Operations (Underwriting, Claims etc), we delivered a structured GDPR Gap Analysis, governance design, and implementation roadmap. This included:
• Operational Data and inventory consolidation: Compiled a comprehensive list of operational PII data, applications and platforms in scope for GDPR, incorporating historic appendices and current estate to produce a single validated inventory.
• Risk-based prioritisation: Performed an initial review of the application estate and agreed a prioritised shortlist based on personal data sensitivity, data volume, and current control maturity.
• IT-focused GDPR assessment: Conducted detailed assessments using a structured methodology and questionnaire to identify privacy and security gaps across high-priority systems.
• Gap and risk identification: Evaluated controls across access management, encryption, logging, retention, third-party processing, and incident response.

  • GDPR risk definition & appetite: Developed a common IT-focused GDPR risk statement and defined a practical risk appetite aligned to business strategy and market best practice.
    • Stakeholder alignment: Facilitated workshops to agree ownership, accountability, and reporting expectations.
  • GDPR delivery roadmap: Produced a prioritised implementation roadmap outlining remediation initiatives, timelines, and ownership.
    • Embedding into BAU: Defined processes to ensure privacy-by-design within change, project delivery, and technology lifecycle management.

A critical success factor was translating technical GDPR requirements into practical, risk-based actions and embedding ownership across IT and business teams to ensure sustainable compliance.

The Outcome
• Comprehensive GDPR application risk assessment across the operational and technology estate
• Prioritised GDPR remediation roadmap
• Improved regulatory readiness and sustainable privacy-by-design capability

Testimonials