The Flowz approach

Flowz is a SaaS (Software as a Service) business, which provides a solution to record the information flowing around an organisation. The software provides a risk score against the information and flows within the organisation, assisting in the compliance of the new GDPR law.

Product Features

Many of the articles can be mapped together to give a logical and simple 5-step approach to on-going GDPR compliance (click here for more information). This all starts with knowing what data you hold, about who, for what purpose and the lawful basis. For this reason, much of the initial effort towards GDPR compliance by organisations is first data flow mapping, followed by implementation of systems and processes to capture new processing activities from creation and engage management control for the life of that processing activity. This all comes together in a rich Record of Processing Activity.

Flowz takes the minimum information required for a Record of Processing (), and allows users to add attributes to the data collection templates to enable them to collect data and report on any aspect of their data processing – although it isn’t necessarily only personal data which can be mapped and reported in Flowz, as many customers are using Flowz for other purposes, including corporate data () and contract management.

Flowz adds the facility to give attributes risk indicator values so that information risk can be reported against proportional mitigating controls to meet the conditions for appropriate Security of Processing () and give overall risk indicator values to processing activities for effective DPO monitoring and reporting (GDPR article 39).

Some of the unique benefits that Flowz offers come from overlaying the () approach and definition of Primary Assets. This enables Flowz to report on the different lawful basis (GDPR article 6) for processing of data at rest () and transactional data () and the varying risk of each.

Flowz then introduces a variety of enhanced functions to provide a firm foundation for compliance assurance, including:

  • Evaluation of data processing contracts against ()
  • Public interest test evidence ()
  • Legitimate interests of the data controller test ()
  • Assessment of breach reporting requirements ()

Finally, Flowz messaging and workflow automation makes the whole arrangement easy to manage and deploy, for maximum assurance and management control.

The benefits of using Flowz


Supports or delivers GDPR information asset requirements such as

  • Data Flow Mapping
  • Information Asset Risk Register
  • Identifying where contracts and sharing agreements are required
  • Identifying flows outside the UK
  • Identifying flows which should be pseudonymised
  • A valid and up to date risk assessment programme for all Information Assets and flows
  • Anti-virus, access control and Business Criticality for Business Continuity
  • Network security and mobile and remote working security

Significantly reduces the risk of fines


Reduces the on-going cost of managing information flows and assets through a simple browser-based interface


Supports GDPR information audit requirements such as

  • Confidentiality audit
  • Multi-professional records and availability audit
  • Internal and external coding audit
  • Coding audit programme
  • Completeness and validity audit
  • Information lifecycle audit

Assists with ISO27000 standards compliance


Helps to identify those information assets you didn’t know you had


Ensures information flow mapping becomes a valuable resource rather than a costly annual exercise

Professional Services


Personalised Configuration

Flowz is configured for all small to medium sized companies who purchase the Essentials, Business and Premium Business packages on our website. We offer custom configuration for all enterprise packages, where our dedicated team personalise the system, specific to your organisation.’ To ‘While we offer an out of the box system, we offer services to conjure Flowz to your exact requirements, quickly and easily.


While the Flowz system is intuitive and easy to use, many customers prefer to have training from the system author.  Dependent on your approach to training, we are able to provide End User and also Train the Trainer training, either on-site or via WebEx.   Be sure to discuss your training requirements with us, so we can design the best solution for you.

Data Import

Do you have any existing data that you think can be used in your Flowz system?  Our technical team may be able to import this data for you, to save you time in getting Flowz up and running.

We will review a sample of the data to see if it can be used and the best way to use it in Flowz, then provide you with an estimate of the associated costs and timeline, to help you get up and running as quickly as possible.

Single Sign On

Through the use of open industry standards and specifications such as SAML 2.0, Flowz can leverage customers’ existing Single Sign-on solutions to manage access to our application.
Support includes SAML 2.0-compliant Federated SSO solutions such as Microsoft Active Directory Federation Services (ADFS) and Shibboleth.


Deployment Support

Getting started with Flowz is just a click away. Our team consists of experienced project managers who can guide you every step of the way. We take pride in the work we deliver for our customers and we have a dedicated team of people that will help you manage your organisation, teams, managers and risk owners ensuring everyone knows what needs to be done to comply with the GDPR.

GDPR Support pack

Our GDPR Support Pack combines mandatory and useful GDPR policies, procedures, checklists and templates, with supporting documents for complaint handling, risk management, audits and monitoring, information security and more.


Creating an asset

Creating a flow



General Data Protection Regulation
In order to demonstrate compliance with this Regulation, the controller or processor should maintain records of processing activities under its responsibility. Each controller and processor should be obliged to cooperate with the supervisory authority and make those records, on request, available to it, so that it might serve for monitoring those processing operations.
The Freedom of Information Act 2000 (FoIA) enshrines the rights of the public to access information held by public bodies.
In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
ISO 27005 provides guidelines for information security risk management.
ISO 27005 supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
ISO 27005 defines Primary Assets as ‘Business Processes and Activities’ and ‘Information’, whereas the National Archive defines it as ‘a body of information, defined and managed as a single unit so it can be understood, shared, protected and exploited efficiently. Information assets have recognisable and manageable value, risk, content and lifecycles.’
A Data Flow is a type of Information Asset (see above) which represents the transactional component element of a business process (ISO 27005 definition) and the packet of exchanged data also meets the criteria for an information asset in the NA definition.
28(1) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.
6(1) Processing shall be lawful only if and to the extent that at least one of the following applies:
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
6(1) Processing shall be lawful only if and to the extent that at least one of the following applies:
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
33(1) In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.