There is often confusion as to when an organisation needs to hire a Data Protection Officer (DPO) – many believe this is only when the business has more than 250 employees. This is not the case and demonstrates a lack of understanding of the GDPR.
A DPO is required BY LAW if:
You are a public body, or authority.
The core activities of the business (data controller, or processor) consist of processing operations which, by virtue of their nature, require regular and systematic monitoring of data subjects on a large scale.
The core activities of the business (data controller, or processor) consist of processing on a large scale of special categories of personal data – and those relating to criminal convictions and offences.
If any element of your processing activities is included in the above criteria and you do not currently have a DPO in place, then you are breaking the law – and the Information Commissioners’ Office (ICO) would not look favourably in the event of a data breach.
Even if you don’t fall into these categories, an outsourced DPO is advisable if your processing activities include the following:
Outbound marketing for third parties. If your business conducts outbound marketing activities for 3rd parties and you handle personal data relating to this, then we recommend you AT LEAST have access to a DPO to ensure you stay within the boundaries of both the GDPR and marketing legislation including PECR – Privacy & Electronic Communication Regulation 2003.
You provide outsourced platforms for specific business departments – such as Sales / Marketing / IT / HR. You may process special category data without being aware of it.
Your business provides CCTV or other recording / monitoring services. In the event of receiving a Subject Access Request, there are certain obligations you will need to consider.
Your business transfers large amounts of data on a global scale, on behalf of third parties. You will need to be aware of the risks associated with global data transfers and political factors, such as Brexit which affect your ability to conduct cross-border data transfers.
From our Head Office in Bedford, near Milton Keynes – and just 40 minutes from London, the Privacy Helper Team consists of highly experienced GDPR consultants who can provide specialist guidance in any area of data protection – ensuring your obligations under the legislation are covered in every way.
IT and Technical / Systems Processes – our guidance can ensure your IT and online systems offer the appropriate level of protection for the personal data you process. Recommendations will be made if improvements, or upgrades are required.
Legal – legal advice based on your existing data sharing agreements, on matters such as Brexit and your general obligations as data controllers.
Records Management – appropriate storage and retention of appropriate documents.
Marketing – guidance on specific marketing activity / strategy. Does it satisfy the conditions of consent under GDPR and marketing legislation including PECR 2003.
Cyber Security – to ensure your online activity has adequate protection – penetration testing would be a recommended start.
Our DPO Service includes:
Complete review of any reporting documentation from your GAP analysis (if completed by another consultancy).
This helps us to understand your current privacy maturity – and what has been or needs implementing as part of your remediation programme.
If you have not had a GAP analysis completed, then our data protection experts will conduct a one to immediately identify the risks of your processing activity before we begin our DPO Service.
Assisting with the implementation of a project plan for any remediation work recommended off the back of your GAP analysis.
This allows you to demonstrate to any external parties that you have a scheduled privacy plan in place and specific projects will be completed by a certain date.
Assisting with the creation of your Records of Processing Activity (ROPA) register – Article 30, GDPR.
This is a legal requirement for some organisations. For others, we highly recommend creating a ROPA as it allows you to understand precisely what personal data is held by the business – and where. Not only does this ensure you provide adequate protection and retention periods to appropriate data, but it makes Data Subject Requests easier to administer as you know where the data is stored.
Supplier data privacy risk assessment and review of data sharing agreements with supply chain.
As a data controller, you are responsible for the processing activities and privacy maturity of your supply chain (data processors). If their activities are not compliant, then you will be liable in the event of a breach caused by them involving your personal data. This process protects you from this unnecessary risk.
Assisting with the creation of your suite of written policies and procedures reflecting the privacy framework of your business.
This suite of policies satisfies the accountability principle of the GDPR, which requires you to prove your compliance, rather than just “claiming it”. These documents must reflect actual your processing activities.
Hands-on support in the case of data breaches.
Under the GDPR, from the moment a data breach is discovered, you have 72 hours to investigate the incident and decide if it is serious enough to be reported and for the data subjects to be contacted. If it risks the rights and freedoms of the data subjects, then they must be contacted via the appropriate channels.
Fines have already been imposed by European data protection regulators for failure to report breaches within the 72 hours, so the pressure really is on – would you know how to manage this internally?
As part of our DPO Service, we will activate your breach management procedure, provide hands-on specialist support and be the point of contact for the ICO if notification is required.
Monthly report submitted to the Board.
Monthly update to the Board in terms of our progress with the project plan and any activity data subject requests.
Secondment:
We also offer secondment!
If you have a one-off major project to complete, then you can engage with our specialists to ensure a Privacy by Design approach is maintained throughout the development phase. This gives you peace of mind to ensure all privacy risks are addressed before the project goes live.
We will also liaise with the appropriate Supervisory Authority (if not the ICO) if their approval for processing is required under the GDPR.
This service can be useful if you don’t require or want access to an outsourced DPO for a whole year… just for the duration of a project.
The Seconded DPO can work remotely or be based with you on site, depending on location and nature of the project.
Please contact us to discuss this service and our fees.
Why should you engage with the Privacy Helper DPO Service?
We are independent to your organisation – any decisions, or recommendations we make are in the best interests of the data subject – a KEY requirement of the GDPR.
Many companies instruct a senior manager, or Head of IT to be “named DPO” – this often creates a conflict of interests as you will be focused on the interests of the business, rather than the interests of the data subject – a clear breach of the GDPR!
It is also unlikely your “named DPO” will have extensive experience of data protection legislation!
We have expert knowledge of European data protection legislation and can interpret this into the activities of your business.
The GDPR / Data Protection Act 2018 are legal documents and our privacy specialists can interpret the demands of the legislation to fit any industry-specific legislation you are bound by.
Any remediation activity must be within the “reasonable expectations” of the business. If excessive investment is required, this may not be expected of you – we will provide guidance on these matters.
All members of the Privacy Team are specialists in their own fields and members of the IAPP – International Association of Privacy Professionals.
With our collective expertise, you have access to a highly skilled team without the pressure on your payroll. Your monthly fees provide complete access to at least FOUR consultants - each with their own specialist field.
Get in touch today to speak to our specialist consultants and let us take the worry out of your GDPR programme – it could be the best call you make today to give your business the confidence it needs to tackle this obstacle.
Brexit & DPO Services:
Brexit is a real concern for most companies operating in the UK and EU – there is a genuine chance we will not be granted adequacy.
If we do leave without a deal or adequacy, what are the data protection implications, and will I need a DPO in the UK?
If you are based in the UK or EU and operate either of these territories, then you will need a separate DPO on BOTH sides. The UK DPO will oversee processing operations in the UK, while the EU DPO will oversee processing operations in the EU.
The UK DPO will be tasked with updating the business on the activities and guidance issued by the UK ICO – and interpreting this as to the operational implications.
The business should review all data sharing agreements that currently govern the transfer of personal data into and out of the UK. If the UK becomes a third country (loses its adequacy), while personal data can be transferred INTO the EU from the UK, transfers INTO the UK from the EU will be unlawful.
Remember that a DPO role is one that upholds the rights of the data subject, therefore it is not appropriate for a senior Director to hold this position – this creates a conflict of interests.
The DPO role should also be occupied by an individual with experience and knowledge of EU and UK data protection legislation.
Speak to us today – we can explain how Brexit (as it stands) is likely to affect your business and how Privacy Helper can ensure your processing activities continue smoothly…and legally. Alternatively, please visit our new dedicated Brexit page.
Our Packages & Fees:
As with our ethos, our pricing structure is simple, straightforward and highly competitive!
We charge £125 per hour (plus VAT), per consultant, irrespective of the task, or engagement. This is highly competitive compared to other London GDPR consultancy services – why pay more for GDPR compliance, if you still have access to the experts?
When on site, our working day is 9am – 5pm. For site visits, reasonable subsistence expenses are charged, however these are all agreed by you in advance. On large-scale projects, where our Global Privacy Consultants are engaged, fees are £1,250 + VAT.
Our hourly rates mean you only pay for EXACTLY the time we need for the task – our hours are recorded on timesheets, so we are fully accountable for time vs tasks!
At Privacy Helper, we pride ourselves on tailoring packages to suit your business – your needs and your budget. That is why we don’t offer pre-packaged services that your business has to try and fit into.
Once we have conducted the data discovery phase, or reviewed your existing GAP analysis documents, we’ll propose a set number of days per month – based on the size of the business, the challenges you face and the amount of guidance you’ll need from us.
This resourcing model is perfect for most companies, as it offers you the flexibility to use our time intensively when the need arises, but to keep time to a minimum at other times. You remain in complete control of your budgets!
The Privacy Helper DPO Service can take the worry out of your everyday business activities, as you have on-going access to a team of privacy specialists who can offer expert advice on all areas of your business operation.
No more “guesses” by the Board, or Management trying to decide if your new marketing activity can go live – you may be stopping it un-necessarily.
No more trying to understand what a customer, or a client means when they make a privacy request – and your obligations around this.
No more responding to a client due diligence form and not being sure what they are asking for regarding your privacy activity.
No more trying to understand the latest ICO legislation – the Privacy Helper team will interpret it for you and tell you exactly what it means for you, and how to adjust to it.
No more thinking “we are compliant” and hoping for the best!
Get in touch today to speak to our specialists and let us take the worry out of your business operations – we will ensure you have a sustainable, demonstrable privacy programme that grows organically with your business.
Why choose us?
Click here to find out why we are the UK’s #1 privacy consultancy.
How much will this cost?
Our pricing structure is simple, straightforward and highly competitive. Head over to our pricing page and take a look at our most popular packages.
What next?
Get in touch via our contact us page, tell us about your business and a member of our team will get back to you.
Other services you may be interested in from PRIVACYHELPER
GDPR Consultancy
Our Privacy Team consists of expert data protection consultants in the fields of IT & Technical, Legal, Records Management and Marketing.
Training
An effective, demonstrable training programme can be the difference between the ICO imposing monetary fines – or not, even if your data privacy programme has just started.