Our client provides a software-as-a-service platform that offers two types of service. One is a communications service – like an intranet – that enables staff within an organisation to communicate seamlessly with each other. The other service is Virtual Reality training – the platform links with VR headsets supplied by our client. They asked us to help them with data protection compliance.

Context and Challenge

The nature of our client’s business means that they collect many different types of personal data. Some of this data will be contained in messages sent by our client’s customers’ staff to each other as they communicate at work. These kinds of messages would not necessarily only be work related. We had to come up with ways to prevent users of the communications service from uploading personal data that might, for example, be classified as special category data.

In addition, our client is a subsidiary and part of a much wider group. Data processing and control was split across different companies within the group so we had to look at this, liaise with other stakeholders in the group and come up with ways to better regulate data flows within the group.

Process and Insight

As with all data compliance projects we began by creating a data map that set out what personal data our client was collecting, where it was stored, who has access to it, lawful grounds for processing etc.

All our meetings with the client and other key members of the client’s group were conducted through video calls.

Having created the data map we were then able to start drafting the necessary policies and privacy notices and we updated our client’s contract templates to make them data compliant.


We provided our client with all of the policies and privacy notices that they needed. We also created simpler and more appropriate data transfer agreements governing data flows within the client’s corporate group. To address the challenge of the communications platform and messaging between customer staff members we created a set of platform rules for users to adhere to.


Our client ended up with appropriate data policies and notices in place and, four months on since adopting these new standards, there have been no difficulties with our client’s customers, many of whom are large organisations and state authorities.