UK Biscuit Manufacturer


This UK biscuit manufacturer is behind some of the country’s most iconic brands.  A change in corporate structure led it to re-assess its data protection policies and procedures, to make sure they were consistent across the entire business.


In Brief

  • As well as meeting its obligation to comply with UK GDPR, the manufacturer has a strong commitment to keeping employee data safe and initially engaged norm. to make sure group policies and procedures were consistent.
  • norm.’s Data Protection as a Service (DPaaS) module is a flexible and comprehensive offering, which can be individually tailored to meet the changing business requirements of clients like this company.
  • By appointing norm. to be its virtual data protection officer (DPO), the company has met its data protection requirements, while at the same time eased the workload on its in-house legal counsel.

The challenge
For this well-known biscuit manufacturer, compliance with UK GDPR has always been a top business priority, not just to reduce the risk of breach-related fines and reputational damage, but also because it has always felt a very strong duty of care to its employees. As the company works with external providers, it pays particularly close attention to how employee data is shared with trusted third parties.

In the past, the company turned to external lawyers for ad hoc assistance to ensure it was meeting its regulatory obligations. However, following a change in the business –– together with a recommendation from key stakeholder, it decided to take advantage of norm.’s Data Protection as a Service (DPaaS) offering.

“We take data protection very seriously, not just because it’s the law to comply with GDPR, but also because we owe it to our team to look after them and their data,” explains the manufacturer’s legal counsel. “While we’ve always managed data protection issues in-house, the changes to our business meant we had to revisit our strategy to make sure it fitted wider group objectives. The scale and complexity of the project meant it was time for us to seek dedicated and highly-specialist help. norm.’s proven experience made it the perfect candidate.”

The solution
The delivery of norm.’s data protection managed service is led by Robert Wassall, Director of Legal Services, a qualified solicitor and data privacy expert. As an initial step, Robert and his team worked hand-in-hand with the customer’s legal counsel to review and adapt existing policies and templates, to make sure they were uniform and fit for purpose.

“We had a high degree of confidence in our policies from a compliance point of view, but Robert and the team played an invaluable role in making sure they also adhered to best practices,” the legal counsel continues. “Most impressive was norm.’s ability to tailor these best practices to meet our exact business requirements and, as a result, we now have a comprehensive set of policies, procedures and templates. This doesn’t just help us ensure our ongoing GDPR compliance, it also makes our data protection programme much more efficient and effective than ever before.”

As a Data Protection Premium customer, the biscuit maker has round-the-clock access to norm.’s team of experts. This service includes:

  • Continuous and proactive recommendations on how the group can bolster and/or streamline its data protection practices
  • Ongoing review of contracts with third parties
  • Full support of Subject Access Requests (SARs)
  • Data Protection Impact Assessments (DPIAs)
  • Personal Data Breach Service Availability 24/7/365
  • Attending quarterly GDPR meetings to help develop a data protection culture across the entire group

“Because norm. understands our business and our data protection policies, it is ideally placed to provide us with relevant, actionable feedback on how we can continue to improve our posture and streamline our operations, particularly as we introduce new technology, suppliers and working practices. The team is extremely proactive and is always coming to us with valuable insights and advice,” says the in-house lawyer.

With the policies and procedures now in place and working optimally, the company intends to run a series of data protection training courses, each of which will be tailored to the needs of different teams and job roles. The norm. team will take the lead in developing and delivering these training modules, ensuring that everyone at the company understands the crucial role they play in protecting sensitive information.

The benefits
For the company’s in-house lawyer, it’s the added extras that Robert and his team provide that make the difference. As they explain, “norm. always goes above and beyond each and every day. For example, the team isn’t content with making sure we are all set from a GDPR compliance perspective, it also wants to make sure our programme runs as smoothly and efficiently as possible. It’s this combination of data protection expertise and business acumen that sets it apart from more traditional law firms. Even better, norm.’s predictable monthly pricing model means we are able to access truly world-class support without ever having to worry about racking up ‘on-the-clock’ legal fees.”

With norm. taking full responsibility for managing and improving data protection activities, the company’s in-house team now has more time to spend on other mission-critical activities. 

As the legal counsel concludes, “Robert and his colleagues are constantly coming to us with suggested improvements and are always willing to assist in a pragmatic way with tasks that would normally be handled in-house. We can now prioritise more strategic projects, safe in the knowledge that norm. has all aspects of our data protection covered. They really are a trusted part of our team.”