Aquaculture Stewardship Council
NormCyber’s Premium Data Protection Service guides globally-focused seafood standards charity through complex data privacy regulations, helping it establish a culture of compliance at every levely
Case Studies //Data Protection //
Aquaculture Stewardship Council (ASC) is a registered charity driving strict standards for responsible seafood farming in over 115 countries across the world. Established in 2010, ASC has grown to become a benchmark in aquaculture standards, and plays a crucial role in certification, traceability and partnerships with global seafood suppliers, retailers and farms. ASC certified products can be found on the shelves of most British retailers including Tesco, Waitrose, Sainsbury’s and M&S.
In brief
- Handling extensive amounts of data, ASC needed an effective data protection strategy to mitigate risks, comply with global regulations and protect sensitive data
- NormCyber’s Data Protection Service was the natural choice, offering a tailored approach that met ASC’s unique business needs
- ASC benefits from an on-demand external Data Protection Officer (DPO), a comprehensive Human Risk Management programme and continuous support in meeting its data protection obligations
The challenge
ASC operates a complex, global supply chain. It provides technical standards to aquaculture farms seeking certification to validate their responsible environmental and social practices, which is a strict requirement for market access.
As an organisation setting global standards for responsible practice, ASC has a strong obligation to maintain watertight data protection to safeguard its own data and good reputation. Richard Ryan, Chief Operating Officer at ASC, was acutely aware of the risks facing the organisation, and sought an external DPO to help navigate these complexities.
“Every time we transfer sensitive data, store confidential information in our company systems and communicate with our partners overseas, it’s vital that we do so in a compliant way that keeps us and our systems secure,” Ryan explained. “We realise data protection is not a box-ticking exercise and that data breaches can occur at any level of the organisation. It was crucial that we adopt a forward-thinking approach to data protection and get external help in embedding a culture of awareness throughout the ASC.”
The solution
When ASC made the decision to enlist a managed data protection services provider in 2021, Norm was the obvious choice for Ryan, who already had a long-standing professional relationship with Norm’s Director of Legal Services. “External legal support proved to be an invaluable asset at my previous company, especially with the introduction of GDPR. When I joined ASC, I was keen to continue this relationship, and Norm felt like the natural fit for the company. We haven’t looked back since,” Ryan explained.
Norm started by conducting a thorough, in-depth review of ASC’s policies and processes, setting a baseline for how its efforts measured up against industry regulations and identifying any gaps in its data protection that could put the company at risk. Norm then drew up a compliance work plan, designed to proactively address data protection at ASC.
“Norm provides a clear framework that helps us understand just what we need to do to stay ahead of evolving regulations and keep our data safe,” Ryan said. “We’ve always been impressed with Norm’s ability to think two steps ahead and a particularly great example of this was the suggestion of – and subsequent help in – drafting an AI policy for us..”
Norm’s Data Protection Service provides full-scale, tailored support that ensures ASC remains compliant with the latest in ICO expectations and global regulations. With Norm acting as ASC’s external DPO, the organisation saves approximately half the cost of an equivalent in-house hire while giving internal teams time back to focus on daily business operations.
Norm delivers a wide array of benefits to ASC, including:
- Regular one-on-one meetings with Norm’s DPO
- Tailored reports providing an overview of ASC’s compliance, notification of impending legislative updates and benchmarks of the organisation’s improvement in data protection
- Support in drafting, refining and implementing data protection policies and practices – including a data breach policy and help with international data transfers
- Reviewing contracts and other legal documents with suppliers
- Proactive policy updates and assessments in line with the latest in ICO and EU guidance
- Comprehensive staff training sessions, instilling a culture of data protection across the company
“We have a great system in place thanks to Norm and equally valuable is the strong rapport we’ve built with the team. We really enjoy working with them. They are highly knowledgeable, approachable and remarkably easy to collaborate with,” Ryan said. “We can always reach the team if we have an urgent question, but we particularly look forward to our regular meetings. Next to keeping us on the straight and narrow, these sessions provide an open forum to collaborate in a relaxed environment. We listen to the advice; take it seriously and commonly agree on what should be done for the best of the organisation. It’s a genuine partnership, tailored perfectly to our needs.”
The results
Since partnering with Norm, ASC has gained clarity and confidence in its data protection operations, which has led the company to expand its relationship with Norm. Realising that people are the first line of defence when it comes to information security, ASC took on Norm’s Human Risk Management module to evolve data protection from a purely executive-level responsibility to a company-wide commitment, ensuring that every staff member understands their role in safeguarding sensitive information.
“Norm has instilled in us a culture of data protection that is rooted in continuous improvement, so it wasn’t long before we decided we wanted to extend our programme to cover human risk management,” Ryan explained. “The service is incredibly comprehensive – from specifically developed materials to regular training delivery and granular reporting on the results – and yet it’s easy for us to oversee. Norm’s reporting dashboard gives us total transparency into our staff training as well as wider data protection efforts – it makes it easy to see where we’ve improved and highlights areas we can turn our attention to next.”
Norm provides ASC stakeholders with an up-to-date visual overview of the strength of the company’s data protection efforts, supported by bespoke reporting that includes tangible metrics on how the company is progressing on its compliance work plan. A larger, annual report is also available for the ASC board committee and external auditors.
“We do a compliance benchmarking exercise once a year and it’s been great to see our scores climbing – we were up 20 percent in our latest report. Getting to 100 percent across the board is not realistic for any business operating in the global economy, but our goal is to continually lower our risk exposure as new external pressures present themselves. We know that Norm’s guidance and pragmatic approach will help us keep working through new challenges.”
In conclusion, Ryan added, “Ultimately, what makes Norm invaluable is the reassurance we get that we’re upholding the highest degree of trust by prioritising data privacy – you can’t put a price on total peace of mind.”
