111SKIN – NormCyber Case Study 


NormCyber partnered with the luxury skincare brand to drive forward its data privacy practices, leading to a four-fold increase in compliance scores and a tangible improvement in day-to-day operations.

Founded in 2012 by world-renowned plastic and reconstructive surgeon Dr Yannis Alexandrides, 111SKIN is a global skincare brand that bridges the gap between scientific innovation, luxury and community. Beloved by A-listers, high-profile makeup artists, and skincare connoisseurs, 111SKIN is also highly regarded by some of the most reputable editors and industry bodies.

In brief

  • Seeking to set its operations and employees up for success amidst expansion, 111SKIN appointed an external DPO to oversee its comprehensive data privacy programme
  • Norm’s Data Protection Premium service provides 111SKIN with full access to a certified, lawyer-led team providing sector expertise to continue improving day-to-day operations
  • With clear KPIs and round-the-clock support, 111SKIN embedded data privacy further into the DNA of the organisation

The challenge

Following the luxury skincare brand’s rapid growth, policies and processes needed to be adapted to reflect 111SKIN’s continuous commitment to data protection and GDPR compliance.

Data privacy is a top priority for us, so we knew it was time to bring experts in. Norm was recommended to us, and after speaking with the team, we were ready to try it their way. We haven’t looked back since!” said Alice Facey, Chief of Staff at 111SKIN.

To enable its future growth strategy, 111SKIN sought help with reviewing its policies, simplifying its data protection procedures and delivering a comprehensive programme around data privacy.

The solution

Firstly, Norm conducted a comprehensive risk assessment into how the company was meeting ICO expectations. Looking under the bonnet, Norm’s experts identified both long-term objectives – in line with 111SKIN’s commercial goals – and immediate next steps to make day-to-day data protection practice simpler and more effective.

Other than being central to good customer care, an effective data protection regime is key to showing our team that we’re looking after them, this was a particular priority for me. It was important for us to ensure our employees are confident, informed and vigilant, and know who to turn to for help. Norm is this lifeline for us,” Alice says.

Norm’s Data Protection Premium Service delivers the highest level of support to help 111SKIN maintain an effective privacy framework. The programme is tailor-made to meet 111SKIN’s specific requirements and delivers all the benefits of having a full-time in-house DPO for approximately a quarter of the cost. This includes:

  • Review of policies, processes, and practices – assessing how the company is meeting ICO expectations
  • Review of data protection T&CS in contracts with suppliers and partners – including drafting and updating legal agreements, and liaising and negotiating with third parties
  • A clear Action Plan containing tailored recommendations and benchmarks for measurable business improvements
  • Support for Subject Access Request (SARs), data processing/sharing agreements, Data Protection Impact Assessments (DPIAs), email marketing concerns, website compliance, complaints to the ICO and other data protection-related issues
  • 24/7/365 data breach service availability
  • Tailored training sessions for staff involved in processing operations
  • Attendance at internal meetings and further, regular communication in the form of newsletters, webinars, reports and ad-hoc advice

The results

We understood that a comprehensive improvement programme would take time, so we were delighted with how quickly the Norm team were able to make a difference,” Alice says. “Within six months, they reviewed and updated all our policies, removing unnecessary complexity, jargon and admin. They also ensured that the documents we were left with were all accurate, practical – in that everyone understands them and knows how to access them – and actually needed. This clarity has been a game-changer for us.

Following the initial risk assessment in 2021, Norm gave 111SKIN a data protection health score based on the effectiveness of its policies, procedures and compliance with GDPR and other ICO requirements. Serving as a clear benchmark, the score not only guides 111SKIN’s continual improvement efforts but also enables it to compare its progress to industry peers, with scores of 80+/100 representing best practice.

Within three years, 111SKIN has significantly improved its data protection compliance score, putting it in the top bracket among industry-leading organisations. This ROI was not the only tangible improvement to the organisation’s daily operations. With data protection assigned to a dedicated function, data subject requests became faster to resolve, and the guidance – delivered both ad-hoc and in regular monthly meetings – gave every team manageable goals to work towards, paving the way for wider cultural change around data privacy.

We wanted to create a real momentum around our new data privacy programme,” Alice explains. “A foundational piece to this was ensuring that everyone knew who Norm’s experts were and how to seek their advice, whether they are a new-starter or senior leaders. This was then a catalyst for continuous learning. Norm gave our leadership vital training into spotting these tactics, and delivered other relevant, bite-sized training to other teams, too – instilling confidence at every level of the organisation.

We have developed a strong relationship with our Norm DPO and his associate, who have consistently provided us with valuable advice throughout our three-year partnership. They have been adaptable to our working methods and considerate of our workload.” Alice concludes: “Having Norm on board has given us reassurance, results and clarity. Far from being a box-ticking exercise, under Norm’s guidance, data protection awareness is a workable, efficient and at times even entertaining activity. Their vast expertise, simplicity-seeking approach and humour have been instrumental in helping us embed data protection in our cultural DNA. It has been a real partnership from the start that we’re very much looking forward to continuing.”