Data Protection & Privacy evaluates how a company safeguards the confidentiality, integrity and lawful use of personal and sensitive information belonging to customers, employees, suppliers and other stakeholders. It covers:

• compliance with global regulations - GDPR, CCPA/CPRA, LGPD, PDPA, HIPAA, PCI-DSS - across data collection, processing, retention, cross-border transfer and deletion;
• implementation of privacy-by-design and by-default principles in products, services and systems architecture (encryption, tokenisation, anonymisation, differential privacy);
• governance structures - board oversight, Data Protection Officers (DPOs), data-governance councils and incident-response teams - with clear accountability and reporting lines;
• robust information-security controls (identity & access management, network segmentation, vulnerability management, third-party due diligence) that protect personal data from breaches and unauthorised use;
• transparent user communication - privacy notices, consent mechanisms, data-subject-rights portals (access, rectification, erasure, portability) - and timely breach notifications;
• continuous monitoring, audit and improvement cycles, with metrics on breach frequency/severity, regulatory fines and resolution times, aligned with frameworks such as ISO / IEC 27701, NIST Privacy Framework, GRI 418 and EU ESRS S4 (Data & Privacy).