Outsourced DPO Consultancy
And how good is your data protection?
Privacy can be a tricky area – it can be complex and demanding but you can’t ignore it because the consequences of getting it wrong can be severe for any organisation.
For many with data protection management responsibility, the GDPR project in 2018 was the start and end of it. For some, the drive to become GDPR compliant occurred several years ago but not a great deal has happened since.
Is this the case with your organisation?
Has you organisation changed in the last few years?
Do you worry about the privacy risks?
–> probably yes.
Have you revisited your privacy programme since?
–> probably not.
Do you have a working privacy programme?
–> it’s hard to say!
Is it now time to review privacy?
–> probably yes.
Click here to find out more V-DPO
Imperfect data protection may lose you business – is it time to get ahead of the competition?
Businesses nowadays are increasingly risk assessed for data protection. If you are bidding for a contract or looking to work with a new partner, your data protection capability is likely to be scrutinised. You’ll need to demonstrate how you comply with UK GDPR and be able to answer some tough questioning.
Its far easier and more cost effective to have access to an experienced data protection officer, with full certifications, who can be trusted to respond eloquently and effectively. A DPO can make all the difference to win that deal.
You can tailor the service from 1 hour per month to as many days per week as you require.
If you need to comply with GDPR and require cost-effective, independent and practical guidance, have a look at our affordable V-DPO service.
And how safe is your supply chain?
We all know supplier management can be difficult but some of your supplier relationships may turn out to be your greatest source of privacy risk. How safe are your suppliers? Many well publicised data protection incidents are found to originate via an organisation’s own supply chain.
How trustworthy are your suppliers and are you safe? Do you know?
Its time to get organised and get on top. Don’t let poor supplier management become your achilles heel.
Our vDPO service will help you establish effective supply chain management to reduce risks and build trust with your third party suppliers.
Outsourced DPO FAQ
A Data Protection Officer will typically undertake several tasks including:
- Provide expert guidance on data protection and privacy
- Report to Top Management on data protection related matters
- Undertake data protection audits
- Give advice on Data Protection Impact Assessments (DPIA)
- Participate in the response and handling of personal data breaches (and other non-compliances with data protection legislation)
- Assist with Data Subject Access Requests (DSAR) and SAR
- Provide privacy and data protection training to staff
- Monitor compliance with UK GDPR and other data protection regulations
- Prepare data protection policies and procedures
- Be the contact point for liaison with data subjects and ICO
- Ensure adequate data protection records are maintained
A Data Protection Officer should have expert knowledge of data protection legislation. A good certification is the IAPP Certified Information Privacy Professional/Europe qualification (CIPP/E).
There are several organisations offering professional data protection certification however the most popular (as used by many lawyers specialising in privacy) is the International Association for Privacy Professionals (IAPP).
A DSAR (also known as a Subject Access Request or Right of Access), is a right of individuals to access and receive a copy of their personal data held by an organisation, who is the data controller. Whenever a data controller receives a DSAR, they must respond by following the procedure set out in Article 12 GDPR. DSAR's can be made either verbally or in writing, including via social media and typically must be fulfilled within a month.
An Appropriate Policy is a UK Data Protection Act 2018 (DPA 2018) compliance requirement for organisation’s that process special category and/or criminal offence data. See also ‘ What must be covered in an Appropriate Policy? ‘ in this FAQ.
An Appropriate policy shows how the processing of special category and/or criminal offence data Is compliant with the requirements of GDPR Article 5. In particular, it should cover the retention policies for these data types.
As a takeaway, any organisation seeking DPA 2018 compliance, that processes employment or social security data, must have an appropriate policy document.
A Data Protection Impact Assessment (DPIA) is a type of risk assessment that helps organisation’s record and minimise the data protection risks to individuals, as a result of their planned processing operations.
DPIA’s must be completed in advance of the planned data processing. For any processing likely to result in a high risk to individuals and cannot be reduced, you must consult the ICO before the processing is undertaken.
The ICO says ‘You must ensure that:
- the DPO is involved, closely and in a timely manner, in all data protection matters;
- the DPO reports to the highest management level of your organisation, ie board level;
- the DPO operates independently and is not dismissed or penalised for performing their tasks;
- you provide adequate resources (sufficient time, financial, infrastructure, and, where appropriate, staff) to enable the DPO to meet their UK GDPR obligations, and to maintain their expert level of knowledge;
- you give the DPO appropriate access to personal data and processing activities;
- you give the DPO appropriate access to other services within your organisation so that they can receive essential support, input or information;
- you seek the advice of your DPO when carrying out a DPIA; and
- you record the details of your DPO as part of your records of processing activities. ‘
Source: UK ICO
UK GDPR requires organisation’s to appoint a Data Protection Officer if their core activities involve the large scale processing of special categories of data or data relating to criminal convictions and offences. This is particularly relevant for healthcare companies accessing and processing NHS patient data, as part of their service.
DPO’s must also be appointed if you are a public authority or your core activities require large scale, regular and systematic monitoring of individuals (e.g. online behaviour tracking)
ICO guidance recommends the following items should be described:
Description of personal data processed – give a brief description of the special category and / or criminal offence data involved.
Schedule 1 condition for processing – provide the name and paragraph number of your applicable Schedule 1 condition(s) for processing
Procedures for ensuring compliance with the DPA 2018 principles – describe how your organisation complies with the accountability principle, lawfulness, fairness and transparency principles, the purpose limitation principle, the data minimisation principle, the accuracy principle, the storage principle, and finally the integrity and confidentiality (security) principle.
Retention and erasure policies – how long will the personal data be retained for each category of together with details as to how will the data will be securely erased.
Next review date – when the policy will be re-assessed and signed off by senior management
It's important to note, that the Appropriate Policy must be retained for 6 months after the date your organisation stops processing the relevant data.
+44 (0)203 397 0142
DLP Assured Services Limited
152 - 160 City Road