Overall Compliance Level: LOW
0 of 36 applicable controls were fully compliant at the time of assessment.
20 controls were Partially Compliant. 16 controls were Non-Compliant. 0 controls were Not Applicable.
LiStDan Finance has genuine foundational work in place: a structured risk register, a comprehensive asset inventory, detailed data flow mapping, and vendor risk evaluations for all eight vendor relationships. The critical gaps are in governance documentation, GDPR obligations, and incident response. These are not infrastructure problems. They are documentation and process gaps — which means they are fixable on a defined timeline with clear ownership.
| Status | Count | Percentage |
|---|---|---|
| Compliant | 0 | 0% |
| Partially Compliant | 20 | 56% |
| Non-Compliant | 16 | 44% |
| Not Applicable | 0 | 0% |
| Domain | Compliant | Partially Compliant | Non-Compliant |
|---|---|---|---|
| Organisational Controls | 0 | 2 | 3 |
| Incident Management | 0 | 0 | 1 |
| Business Continuity | 0 | 0 | 1 |
| People Controls | 0 | 1 | 3 |
| Physical Security | 0 | 2 | 0 |
| Technological Controls | 0 | 6 | 1 |
| Function | Compliant | Partially Compliant | Non-Compliant |
|---|---|---|---|
| Identify | 0 | 4 | 1 |
| Protect | 0 | 1 | 2 |
| Respond | 0 | 0 | 2 |
| Recover | 0 | 0 | 1 |
| Article | Compliant | Partially Compliant | Non-Compliant |
|---|---|---|---|
| Art. 6 — Lawful Basis for Processing | 0 | 0 | 1 |
| Art. 13/14 — Privacy Notice | 0 | 0 | 1 |
| Art. 25 — Privacy by Design | 0 | 1 | 0 |
| Art. 28 — Processor Obligations (DPA) | 0 | 1 | 0 |
| Art. 30 — Records of Processing | 0 | 1 | 0 |
| Art. 32 — Security of Processing | 0 | 1 | 0 |
| Art. 33 — Breach Notification | 0 | 0 | 1 |
| Art. 35 — Data Protection Impact Assessment | 0 | 0 | 1 |
| Art. 37 — DPO Designation | 0 | 0 | 1 |