Our Product

Flowz is a SaaS (Software as a Service), which provides a solution to record the information flowing around an organisation. The software provides a risk score against the information and flows within the organisation, assisting in the compliance of the new GDPR law.

Flowz is a software tool that brings together risk management of data assets and presents them back to the organisation in custom of views to support compliance with regulatory obligations, including for taking a risk-based approach.

As standard, Flowz is configured to support compliance with the UK/EU General Data Protection Regulation [link to GDPR], is extremely configurable, and can be easily adapted to gather data, risk assess and provide multiple user-defined views.

Flowz can be used for any type of data asset, including for non-personal data, e.g., to support compliance with the Freedom of Information Act.

Flowz supports full compliance with the requirements of GDPR article 30 for both controllers and processors.

Risk management drivers in GDPR

Recital 76: Risk Assessment

The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. 
Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk.

Article 32: Security of processing


Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

Article 39: Tasks of the Data Protection Officer

The data protection officer shall in the performance of his or her tasks have due regard for the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Article 24: Controller

Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. 

Those measures shall be reviewed and updated where necessary.

Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller.

Recital 83: Security risk assessment

In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption.

Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected.

In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.

The Benefits of using Flowz

Helps to identify those information assets you didn’t know you had

Ensures information flow mapping becomes a valuable resource

Assists with ISO27000 standards compliance

Supports GDPR information audit requirements such as:

  • Confidentiality audit
  • Multi-professional records and availability audit
  • Internal and external coding audit
  • Coding audit programme
  • Completeness and validity audit
  • Information lifecycle audit

Significantly reduces the risk of fines

Supports or delivers GDPR information asset requirements such as

  • Data Flow Mapping
  • Information Asset Risk Register
  • Identifying where contracts and sharing agreements are required
  • Identifying flows outside the UK
  • Identifying flows which should be pseudonymised
  • A valid and up to date risk assessment programme for all Information Assets and flows
  • Anti-virus, access control and Business Criticality for Business Continuity
  • Network security and mobile and remote working security