Find your GDPR risks today. Non-compliance can be costly…

Every company thinks they are compliant with GDPR, or thinks they have done enough to prepare – but have you, and is it really “enough”? Could you provide a robust IT Security Policy, or DPIA Policy upon demand as part of a new tender document?

In our experience, most companies have not done enough, which leaves you open to undiscovered data breaches and ICO investigations leading to potential enforcement action. With the GDPR being in place for well over a year, there really is no excuse to have little in place to demonstrate your preparations.

If this sounds like you, the Privacy Helper team can be on site in a matter of days – and identify your processing risks in just a few hours.

For many organisations, lack of compliance begins with the website which should be considered as your shop window:

  • Website is insecure – prone to compromise by hackers, an easy way in and to cause problems.

  • No details of ICO registration as data controllers (if ICO registration is appropriate) – this is a legal requirement, with fines of up to £4,000 being imposed by the data protection regulator.

  • Lack of Privacy Notice, or the one in place references the Data Protection Act 1998, or other inaccuracies – you are legally required to be transparent in your processing activity.

If your website lacks these three basic elements it suggests to potential clients your business has done little to prepare for GDPR – which puts them at risk by engaging with you.  

Many businesses have come to us with this problem – we call it the “Ripple Effect” – an organisation is asked by a potential client to supply specific policies demonstrating their GDPR compliance, but they don’t have these - potentially losing that new client. 

Our extensive GAP Analysis is designed to address this hurdle before it becomes an issue, by independently gauging how compliant you are with the GDPR – and what is required to improve your business practices to address this. Every organisation requires some form of remediation – GDPR is an on-going effort and nobody is perfect.

The key benefits of this process are:

  • To provide you, the data controller, with an accurate snapshot of how ready the organisation is to comply with the requirements of the GDPR / Data Protection Act 2018.

  • Highlight your current risks and necessary steps – in a high-level executive summary

  • Provide a clear, high level plan to achieve full compliance for the business

  • Identify areas that require immediate attention – those of critical status

  • Collect intelligence to deliver a strategy for achieving sustainable GDPR compliance

How we do it & our fees:

The structure is identical for all businesses, just the number of consulting days will vary depending on the size – three audit types.

 
GDPR Gap Analysis - Bronze Package
GDPR Gap Analysis - Silver Package
GDPR Gap Analysis - Gold Package
 
 
star+1.jpg

Basic audit

  • For organisations with a single office and UP TO FIVE departments, a single consultant requires TWO working days – one conducting a site visit, the other working remotely to create the report.

  • Two working days: £1,900 + vat (plus reasonable subsistence expenses)

star+2.jpg

Intermediate audit

  • For organisations with a single office and MORE THAN FIVE departments, a single consultant requires FOUR working days – TWO conducting the site visit, TWO working remotely to create the report.

  • Four working days: £3,800 + vat (plus subsistence expenses)

star 3.png

Advanced audit

This is ideal for larger businesses with multiple sites and MORE THAN FIVE departments. Depending on your requirements, our Privacy Team will visit all sites to conduct the audit, then work off site to complete the report. The number of consulting days will depend on the scale and complexity of the business – therefore, our fees will be confirmed after we have spoken in more detail.

Our aim is to come away from your business with a good idea of how personal data flows into, around, and out of your business – the mechanisms for this transfer and legal basis in all cases.

Stage 1 (off-site):

  • Initial research on your organisation

  • Website scan, structure of the organisation / number of employees, nature of industry, status of registration with the ICO.

  • Creation and delivery of an itinerary for our time with you.

 Stage 2 (on site):

  • GAP Analysis on site.

  • Initial GDPR introductory session to all staff. Session provides staff across all levels of the business with an understanding of the current data protection legislation, compared to the previous Data Protection Act, 1998, the obligations of the business and the rights of individuals. This session also helps staff understand the nature of the work we will be doing during our time on site. It is vital staff receive training on how GDPR affects their job, as a high proportion of breaches are due to lack of staff awareness.  The introduction we deliver will compliment any training they receive or have previously received.

  • In-depth discussion with each department as to how data is processed in their specific area. This helps us to understand what types of personal data enter the business, from whom – your supply chain, business partners, or clients. How this personal data is received – is it via a secure mechanism? What additional security measures are provided as part of the data transfer process? Has it been sent within the UK, or overseas? For what purpose will you be using this personal data? Is this in accordance, or in line with the expectations of the data subject? There are six legal basis of processing – and at least one of these must be specified for you to legally process the data. Have you considered your legal basis for each processing activity? How long do you store this personal data? Do you have specific retention schedules based on the types of data processed? How is the data stored on your server – what security measures have you implemented to protect it? Do you use role-based access? What back-ups does your server run? Do all staff use company-owned devices (laptops / mobiles), or their own devices? What outsourced third-party have you engaged with - have you conducted due diligence on these? Do you have data sharing agreements in place with all business partners / suppliers? If they suffer a data breach in which personal data from your company is affected, then you are liable – unless you can prove contracts are in place and due diligence is complete. If data is imported from the EU, have you considered a strategy for a No Deal Brexit? If you have US-based contacts, are they registered with Privacy Shield?

  • Based on these criteria, we expect to spend around an hour with each department.

  • We complete our time on site with a round-up meeting with the key stakeholders to summarise what we have found and (if applicable) our greatest concerns. There may be some immediate improvements you can implement ahead of our report being delivered. 

Stage 3 (off site):

Writing of our report, which will comprise of:

  • A summary of all departmental conversations – split by individual processing, or data transfer activity.

  • Our comments in relation to this activity – does it put the data subject at undue risk, does it constitute a breach of data protection legislation, or is it a perfectly legitimate processing activity?

  • Our recommendations as to this processing activity. If there are risks, how can these be addressed / mitigated?

  • The report will be delivered in traffic light-format, enabling you to identify: the critical areas (RED), areas to be addressed within the remediation plan (AMBER) and areas we are not currently concerned about (GREEN).

We will also deliver an Executive Summary which is presented to key stakeholders and summarises our main findings and includes a section on our recommendations – what you need to do, how to achieve these and the impact the tasks will have on your compliance journey.We aim to deliver all reports within a week of our time on site – very often within a matter of days.

If you engage with us for remediation or on-going guidance, will devise a complete compliance plan with tasks and milestones for each project – this will be created in line with the required tasks and your budget.

Remember – the Privacy Helper team are experts in performing GAP analysis audits. Our work in each department is detailed and meticulous, so you can be sure we will identify any risks involving personal data within the business.  The on-going guidance we can provide as part of the remediation stage will help to address these issues, giving the business the confidence of a sustainable GDPR programme.

Get in touch today to book a visit from our specialists and we can be with you in as little as 24 hours – don’t leave it until you have a proposal or tender deadline to meet – as this could cost the business dearly.

 
 
tick.png

Why choose us?

Click here to find out why we are the UK’s #1 privacy consultancy.

 
pound.png

How much will this cost?

Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.

 
arrow down.png

What next?

Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.

 

Other services you may be interested in from PRIVACYHELPER

 DPO services

We offer DPO packages to suit your business needs – from a basic advisory service for smaller businesses to integrating ourselves within the operation of larger businesses.

Get started >

 GDPR Consultancy

Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.

Get started >

 Training

An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.

Get started >