We support clients across core Data Protection and Information Security controls such as the UK GDPR and UK Data Protection Act 2018 but have a wealth of experience in the wider Legal and Regulatory Controls that organisations must adhere to.


PECR should be considered alongside the Data Protection Act, in relation to specific types of data processing.

These include: where you are using personal information to carry out direct marketing; if you’re using certain types of cookies on your websites and, potentially, if you provide a function that allows someone to look up contact details of individuals on a directory. In addition there are further requirements for electronic communications service providers.

Evolve North can help you consider if your current promotional activities would be classed as direct marketing, making sure you’re carrying out marketing in line with current privacy law. This will include considering whether or not you need consent from individuals, which may be influenced by your marketing approach and who you’re targeting. We can also help you understand whether you can continue to use your marketing lists in the same way, and any implications of ‘bought in’ lists.

We also help organisations understand the types of cookies they use currently, whether a cookie notice may be required on websites, and help you develop cookies policies that effectively inform website users about how their data is used and their options for not sharing information via cookies.


We provide help and guidance to health and social care organisations implementing the Data Security and Protection Toolkit

The NHS England Data Security & Protection Toolkit allows organisations that process health and social care data to demonstrate their compliance with Data Protection Law and the National Data Guardian Data Security Standards. It will be used by the Care Quality Commission to monitor best practice.

We can support you in fulfilling the requirements of the DS&P Toolkit in a number of ways. This may include carrying out an independent audit of your current evidence to identify areas where further work may be needed. We also help to fill gaps in current areas of compliance, such as identifying and recording your information assets, risk assessing these assets, ensuring appropriate reviews of third parties are being carried out, helping train your staff, or developing new policy, procedure and guidance documents.

Evolve North’s mix of governance and data security expertise, and extensive experience of working with health and social care organisations, makes us ideally placed to support your needs in this area. 


The National Institute of Standards and Technology (NIST)Cyber Security Framework is a framework to help organisations manage and reduce their cyber security risk. It uses a common language and set of best practices for managing cyber risk across an organisation.

The framework is designed to be adaptable and flexible to adjust to the needs of different organisations of any size in any industry. It is structured around five core functions – Identify, Protect, Detect, Respond, and Recover – these represent the basic cyber security activities that any organisation should undertake to manage and reduce cyber security risk.

Although typically used by US-based organisations, it is becoming more common in the UK and Europe.

Enforcement and Penalties

In the case of breaches or non-compliance, the National Cyber Security Centre (NCSC) has the authority to investigate and enforce actions against violators. Penalties can reach up to £17 million or 4% of global turnover. Public disclosure of offending organisations is also possible.

Understanding NIST

The National Institute of Standards and Technology (NIST) Cyber Security Framework provides a common language and best practices for managing cyber risks across organisations. Structured around five core functions—Identify, Protect, Detect, Respond, and Recover.

Who Needs NIST?

While not legally mandated, NIST is beneficial for organisations with complex supply chains or relationships involving US entities. Recognised by the Information Commissioner’s Office (ICO), it offers a robust approach to assessing IT security and data protection capabilities.


The Network and Information Systems Directive has been designed to improve the cybersecurity and resilience of network and information systems across the EU. It was transposed into UK law through the Network and Information Systems Regulations 2018 and was amended in 2021 to reflect the UK’s status as a non-EU country. The NIS regulations require certain organisations take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of their network and information systems, and to report significant incidents to the NCSC in the UK.

Who is obligated to comply with the regulations?

The regulations apply to operators of essential services (OES) and digital service providers (DSPs) that are based in the UK.

The NCSC defines OES as entities that are essential for the maintenance of critical societal and/or economic activities that rely heavily on network and information systems. They can include organisations in energy, transport, health, banking, and digital infrastructure. For DSPs, the NCSC guidance defines a digital service provider as ‘an organisation providing cloud computing services, online marketplaces, and search engines.’

In the event of a breach, or non-compliance with the regulations, the NCSC has the power to investigate and take enforcement action against the offending organisation. The NCSC may choose to issue enforcement notices requiring an organisation to take specific actions to remedy any breach of the regulations or levy financial penalties of up to £17m, or 4% of global turnover, as well as publicly naming and shaming those organisations that breach the regulations.

What are the requirements?

The specific requirements set out by the NCSC for complying with the directive include:

  • Security measures
  • Incident reporting
  • Identification of critical systems
  • Risk management
  • Cooperation with the NCSC
  • Record-keeping

We can support organisations looking to achieve and maintain these Legal and Regulatory controls, whether it is a high-level recommendations and guidance, gap analysis, documentation and reporting, tactical project delivery, deep dive auditing of compliance or continued remedial support, Evolve North are expertly positioned to help.

Talk to a specialist now – call 01748 905 002 or email [email protected]