Three domains had the highest concentration of Non-Compliant controls. These represent the most immediate remediation priority because they combine regulatory exposure with operational vulnerability.
LiStDan Finance had no documented Incident Response Plan, no breach notification procedure, no communications escalation chain, and no breach register at the time of assessment. For a platform processing financial data and personal information for 100,000 users, this means any security event — data breach, service disruption, or fraud incident — has no structured response.
GDPR Article 33 requires notification to the supervisory authority within 72 hours of becoming aware of a personal data breach. That window cannot be met without a documented procedure, an identified escalation chain, and a completed breach register. This is not a future risk. It is an active compliance gap.
Findings in this domain: GA-004 (Incident Response Plan), GA-034 (Breach Notification Procedure)
Nine of the ten GDPR-specific findings were Non-Compliant or Partially Compliant. LiStDan Finance was processing personal data for 100,000 users across ten data types — including biometric KYC data and real-time behavioural profiles — without a Privacy Notice, without documented lawful basis, without Data Processing Agreements with any vendor, and without conducting a DPIA for any of the three processing activities that met the DPIA threshold.
These are active regulatory violations. The risk is not just enforcement action; it is reputational. A platform processing payment data and biometrics for 100,000 users with no privacy documentation in place is not a company users or partners can confidently trust.
Findings in this domain: GA-028 through GA-036
IAM misconfigurations and incomplete MFA enforcement were documented across cloud infrastructure, backend microservices, and fraud detection systems. No formal Access Control Policy existed. Over-privileged accounts and absence of a PAM (Privileged Access Management) framework were explicitly flagged in the risk register as unresolved HIGH-rated vulnerabilities.
For a fintech platform where internal access to payment data, transaction records, and KYC documents exists, access control gaps create both fraud risk and regulatory exposure under both ISO 27001:2022 and NIST CSF v1.1.
Findings in this domain: GA-007 (Access Control Policy), GA-008 (MFA Enforcement), GA-009 (PAM Framework)