Lou Lwin


Cundall Johnston and Partners is a global, multi-disciplinary consultancy delivering sustainable engineering and design solutions across the built environment. Cundall has 26 offices with more than 1000 consulting engineers and designers who are empowered to act with flexibility and agility in response to the local market conditions and practices. They hold true to the values that have always underpinned the success at Cundall and have a clear vision for the future development of the business.

Founded: Founded in 1976
Target customer: 

The Challenge

What challenges were you and your team experiencing before working with us – what prompted you to seek a solution? I think particularly in our sector, the AEC sector, we do not have the same data challenges as say, a bank or financial organisation would have. As a result, we had a lower awareness level of what GDPR compliance looks like and what good data health looks like. That’s not to say we didn’t have policies and processes in place, but because we didn’t have a mature Data Protection capability, we had no one with that particular skillset to walk us through how to improve our compliance. I joined Cundall two and a half years ago and noticed very quickly that we needed to have that next level of expertise to safeguard a fast-growing business. I saw an opportunity to either hire in-house or outsource our DPO obligations.

How did you go about searching for the solution and services? Cyberseer, an organisation we have a very good working relationship with, recommended Evalian to us as you support them with their data protection compliance requirements.

Please describe the reasons you decided to work with us. I have worked primarily to enhance Cundall’s internal capabilities, so I had a good idea of what we needed. After our initial discussion with Evalian’s commercial director, who answered all our questions very clearly, I did not feel the need to go to market, especially given the referral we had already had from Cyberseer. It was clear to us that Evalian knew data protection extremely well, and I had complete confidence in what we were going to get from the engagement. The overall cost was also very reasonable.

Did you have any expectations going into the process? Evalian has exceeded our expectations. I was looking for the guidance and advice that we need on compliance, and someone to refer to on all those topics and to provide support with any data breaches. Evalian covered all those fundamentals but what I was not expecting and was pleasantly surprised about, was the level of focus we received. The Evalian team were, and remains, incredibly proactive with all our engagements.

With other organisations, very often you must chase to get answers, we have never had to do that with our Evalian consultants.


Can you describe the process we took your business through and anything you learnt about your own business through working this way. Evalian conducted an initial discovery exercise to understand what we had in place, how we operated and what our data health looked like. Our Evalian consultants assessed our documentation too and were proactive in coming forward and saying where enhancements could be made.

Evalian has provided Cundall branded compliance literature, which I have been able to circulate to the wider company. This literature explains the risks and steps that can be taken to mitigate them, which has helped support me in raising awareness throughout the business. This approach has made what is usually a dry topic, very easy for us to communicate company-wide and obtain engagement and understanding from employees.

We also receive awareness training sessions from Evalian for specific areas such as using data protection impact assessments. These are a work in progress, and as more people join us, it is an ongoing goal to ensure our workforce has knowledge and awareness of our compliance obligations.

Were there any challenges you found along the way and how did you feel we or your consultant, helped to support you through that? I suppose any bumps in the road have come from – as previously mentioned – not having that specific data protection expertise in-house before Evalian came on board. So, whilst we had policies in place and an overarching understanding of what our main data protection obligations were, we did not understand the detailed terminology at that point, and the level of data health needed for a company of our size. However, these issues were almost immediately overcome by the Evalian calls and training, which helped our teams understand the risks.


What has been the most significant achievement for your business facilitated by using our services? Evalian’s approach has been a huge time saver for us and a welcome relief because now we are sharing the responsibilities and know we have on-demand support. Overall, the engagement has raised awareness of our data protection compliance responsibilities throughout the global business.

Our capacity for other work has also increased now that Evalian has stepped in to handle our data protection obligations. The DPO engagement has had an instant impact on our IT department which are very aware of potential cyber risks to our business. Our engagement with Evalian has helped guide our cyber security strategy, and this has been a vital aspect of having a rock-solid DPO capability. The knowledge, clear guidance and direction from our consultants have helped us adjust our approach to how we do things and have given us the confidence that what we are doing is right.

  • This field is for validation purposes and should be left unchanged.


Talk To Us:

If you’ve had a data breach, are confused about DPOs, or would like to discuss penetration testing or cyber incident response training, please give us a call or email us. We promise no hard sell and only real-world guidance.

We love to talk privacy and security and we’d be delighted to discuss your requirements. If we can’t help for any reason, we’ll probably know someone who can.

Get In Touch