Outsourced DPO Services

There is often confusion as to when an organisation needs to hire a Data Protection Officer (DPO) – many believe this is only when the business has more than 250 employees. This is not the case and demonstrates a lack of understanding of the GDPR.

A DPO is required by law if:

• You are a public body or authority.
• The core activities of the business (data controller, or processor) consist of processing operations which, by virtue of their nature, require regular and systematic monitoring of data subjects on a large scale.
• The core activities of the business (data controller, or processor) consist of processing on a large scale of special categories of personal data – and those relating to criminal convictions and offences.

If any element of your processing activities is included in the above criteria and you do not currently have a DPO in place, then you are breaking the law – and the Information Commissioners’ Office (ICO) would not look favourably in the event of a data breach.

Even if you don’t fall into these categories, an outsourced DPO is advisable – often seen as best practice – if your processing activities include the following:

• Outbound marketing for third parties. If your business conducts outbound marketing activities for 3rd parties and you handle personal data relating to this, then we recommend you AT LEAST have access to a DPO to ensure you stay within the boundaries of both the GDPR and marketing legislation including PECR – Privacy & Electronic Communication Regulation 2003.
• You provide outsourced platforms for specific business departments – such as Sales/Marketing/IT/HR. You may process special category data without being aware of it.
• Your business provides CCTV or other recording/monitoring services. In the event of receiving a Subject Access Request, there are certain obligations you will need to consider.
• Your business transfers large amounts of data on a global scale, on behalf of third parties. You will need to be aware of the risks associated with global data transfers and political factors, such as Brexit which affect your ability to conduct cross-border data transfers.

From our Head Office in Bedford, near Milton Keynes – and just 40 minutes from London, the PRIVACY HELPER Team consists of highly experienced, certified GDPR professionals who can provide specialist guidance in any area of data protection – ensuring your obligations under the legislation are covered in every way.

• IT and Technical/Systems Processes– our guidance can ensure your IT and online systems offer the appropriate level of protection for the personal data you process. Recommendations will be made if improvements or upgrades are required.
• Legal– legal advice based on your existing data sharing agreements, on matters such as Brexit, the latest adequacy decisions and your general obligations as data controllers.
• Records Management– appropriate storage and retention of appropriate documents.
• Marketing– guidance on specific marketing activity/strategy. Does it satisfy the conditions of consent under GDPR and marketing legislation including PECR 2003?
• Data Minimisation– are you collecting excessive or unneccesary amounts of personal data in any areas of your business?
• Privacy by Design & Default– do you consider privacy at the start of any new projects involving personal data? Have you completed a DPIA? This may be a legal requirement.
• Cyber Security– to ensure your online activity has adequate protection – penetration testing would be a recommended start.

Our DPO Service includes

Complete review of any reporting documentation from your GAP analysis (if completed by another consultancy)

• This helps us to understand your current privacy maturity (and risk appetite) – and what has been or needs to be implemented as part of your remediation programme.
• If you have not had a GAP analysis completed, then our data protection experts will begin one to immediately identify the risks of your processing activity before we begin our DPO Service.

Assisting with the implementation of a project plan for any remediation work recommended off the back of your GAP analysis.

• This allows you to demonstrate to any external parties that you have a scheduled privacy plan in place, with project milestones to be completed by a certain date.
• Assisting with creating your Records of Processing Activity (ROPA) register – Article 30, GDPR.
• This is a legal requirement for some organisations. For others, we highly recommend creating a ROPA as it allows you to understand precisely what personal data is held by the business – and where. Not only does this ensure you provide adequate protection and retention periods to appropriate data, but it makes Data Subject Requests easier to administer as you know where the data is stored.
• Supplier data privacy risk assessment and review of data sharing agreements with the supply chain.

As a data controller, you are responsible for the processing activities and privacy maturity of your supply chain (data processors). If their activities are not compliant, then you will be liable in the event of a breach caused by them involving your personal data. This process protects you from this unnecessary risk.

• Assisting with the creation of your suite of written policies and procedures reflecting the privacy framework of your business.

This suite of policies satisfies the accountability principle of the GDPR, which requires you to prove your compliance, rather than just “claiming it”. These documents must reflect actual your processing activities.

Hands-on support in the case of data breaches.

• Under the GDPR, from the moment a data breach is discovered, you have 72 hours to investigate the incident and decide if it is serious enough to be reported and for the data subjects to be contacted. If it risks the rights and freedoms of the data subjects, then they must be contacted via the appropriate channels.
• Fines have already been imposed by data protection regulators for failure to report breaches within the 72 hours, so the pressure really is on – would you know how to manage this internally?

As part of our DPO Service, we will activate your breach management procedure, provide hands-on specialist support and be the point of contact for the ICO if notification is required.

Please contact us to discuss this service and our fees.

For Corporate and higher-risk engagements, the DPO service would extend to:

Access to Designated Privacy Specialists

You will have access to a consistent team of certified privacy specialists to coordinate the completion of specific tasks required to embed a strategic privacy program.

We will act as mentors to named “Privacy Champions” in each department to improve knowledge, understanding and awareness of privacy and help to embed privacy controls at a local level. These Privacy Champions would be tasked with completing specific remediation tasks and the Team would oversee their work and ensure deadlines are met.

Nominated members of the Team will be available to speak to “out of hours” in the event of a serious incident or personal data breach.

A Bespoke Strategic Privacy Roadmap

As DPO, we will be responsible for creating a robust strategic plan for improving for improving the level of compliance with the GDPR across your business. The strategy will be designed to align with your strategic priorities and values in a way that addresses current gaps without reducing operational efficiency.

The Roadmap will reflect the risk appetite of the business and ensure that any process changes are risk based and proportionate.

Expert Advice on Privacy Matters

Acting as your DPO, we welcome the business at all levels to involve us in ideas and new concepts in which personal data is, or may be involved. This is called “privacy by design & default” and is evidence of data protection being embedded within the business and it being a forethought, rather than an afterthought.

Board Reporting

The GDPR requires that the DPO has access to the highest level of an organisation’s management structure.

To ensure your organisation can meet this requirement, Privacy Helper will produce regular reports to be presented to the relevant Board/Committee.

The reports will typically include comment on the performance of the privacy program against agreed KPIs.

• An overview of work completed in since the previous reporting period.
• Insight into the types of risks currently faced by the business.
• A high-level action plan of work to be completed during the next reporting period.
• Significant or notable regulatory updates from any/all Supervisory Authorities the business is in scope of.

Annual Re-fresh Audit

This is a good way to accurately gauge the improved compliance maturity in the business – a mini audit focusing on the significant risks in the first audit and documenting how these have been addressed and remediated

Why should you engage with the PRIVACY HELPER DPO Service?

• We are independent of your organisation – any decisions, or recommendations we make consider any risks to the rights and freedoms of the data subject – a key requirement of the GDPR.
• Many companies instruct a senior manager, or Head of IT to be “named DPO” – this often creates a conflict of interests as you will be focused on the interests of the business, rather than the interests of the data subject – a clear breach of the GDPR!
• It is also unlikely your “named DPO” will have extensive experience in data protection legislation.
• We have expert knowledge of European data protection legislation and can interpret this into the activities and risk appetite of your business.
• The UK GDPR/Data Protection Act 2018 are legal documents and our privacy specialists can interpret the demands of the legislation to fit any industry-specific legislation you are bound by.
• Any remediation activity must be within the “reasonable expectations” of the business. If excessive investment is required, this may not be expected of you – we will provide guidance on these matters.
• All members of the Privacy Team are experienced, certified professionals with over 35 years of collective working in data protection.
• Your monthly DPO fees provide complete access to a full, multi-skilled Privacy Team, rather than a single member of staff for a similar cost.

Get in touch today to speak to our expert consultants and let us take the worry out of your GDPR programme – it could be the best call you make today to give your business the confidence it needs to tackle this obstacle.