The Support Desk service is based in Leeds and is staffed by a team of qualified and experienced data protection law and GDPR consultants, specialists and practitioners.

We help with all nature of data protection queries, and provide consultation with the following:

• Personal data breach response and handling
• Assessing data protection risks
• How to respond to Data Subject Access Requests (DSARs) lawfully
• GDPR advice e.g: establishing controller/processor relationship
• DPA 18 exemptions advice
• PECR / direct marketing guidance
• Assisting with Legitimate Interest Assessments (LIAs)
• Advising on how to obtain and record consent lawfully

We also undertake:

• Remote audits on suppliers
• Consent mechanisms review
• Data retention audit and review
• Data Protection Impact Assessments (DPIAs)
• Information Asset Registers (IARs)
• Review of third-party data sharing/processing agreements
• Writing/reviewing policies and procedures

GDPR Support Desk Service Delivery

The Leeds-based team offers email and telephone support. They will give you an estimated response time frame for your data protection support query via an email notification with a case number. 

You have access to a bank of GDPR and UK data protection regulations knowledge and resources to help you with any questions you may have regarding data protection.

Framework

You will receive informative and simple to understand advice from data protection and GDPR consultants able to provide training resources, templates and checklists to help you with your basic GDPR rules and regulations compliance journey. 

That includes the Information Governance Framework (IGF) – a full index of data protection policy/procedure templates and registers to record processing activities.

GDPR Support Packages

These data protection and GDPR Support packages can be provided as an addition to other services or can be bought stand-alone.

Find out more >>

To comply with the data protection law it is essential to periodically check and evidence your compliance.

How does this work?

An experienced data protection practitioner will request a handful of key documents in advance of a full site audit to help them prepare to complete your data protection compliance audit.  They will attend your premises for at least two days and, through interviews, observation and review of your records and documentation to determine the data protection and GDPR compliance of your data handling operations.

The assessor of your data protection compliance will prepare a compliance report rating your work-practices against all aspects of the relevant data protection law, advising non-compliances and offering advice and recommendations for improvements.

Why Choose Us?

This will be a specialists in Data Protection and Information Security with a track record of providing invaluable expert advice, guidance and action - respected and established leaders in their field of expertise.

The data protection compliance team have decades of practical experience and a thorough understanding of what compliance looks like.  As  practice spans data protection and information rights law as well as cyber security, they are qualified to advise on a broad range of matters. 

Find out more >>

Handling a subject access request is resource intensive. Contact us to discuss how we can resolve your SAR headaches!

Why do you need this support?

Subject Access Requests (SARs) are a cornerstone of Data Protection Law and as soon as you receive one, the clock starts ticking as you have only one month to respond. Handling SARs is resource-intensive, and it requires specialist training and software. Outsourcing the application of redaction and exemptions makes commercial sense.

The SAR Process

The process for handling a subject access request is straightforward enough.  The time-consuming element is reviewing all of the information found through your information search. It is not uncommon for this to comprise thousands of emails, voice recordings, CCTV footage, images, logos, and other documents in a variety of formats.

Your legal duty is to review all this information and remove (redact) all references to other people. You might also want to withhold some information through the application of one of the many exemptions to disclosure. This process can take a very long time.

The Service

Applying SARs redactions is boring work. It needs high levels of concentration and focus and no interruptions. Redaction fatigue sets in after only a few hours. It is the kind of work best done by people with an eye for detail and a passion for redaction who do this work by choice day-in and day-out. That’s where this helps you.

The SAR task force uses tried and trusted work methods to accurately, quickly and methodically work through redacting your information. There are SAR subject matter experts working within a team of data protection experts. They know what they are looking for and assuredly apply any necessary-redactions and exemptions within the framework of UK law. 

The audit trail and quality assurance procedures give you peace of mind that the work we do for you will stand up to scrutiny.

Why Use this Service?

These teams of specialists in Data Protection and Information Security have decades of practical experience and a proven track record of identifying and mitigating risk so you can be sure you are in the safest hands.

Find out more >>

The Outsourced Data Protection Officer (DPO) service is designed to satisfy an organisation’s legal responsibility to designate a DPO, whether that be mandatory or voluntary.

If you are lawfully required to appoint a DPO, or choose to appoint one voluntarily – consider an outsourced Data Protection Officer arrangement.

The Outsourced DPO's Role

Under business as usual (BAU) the Outsourced DPO undertakes or commissions the following tasks:

• Reviewing documentation (e.g. policies and procedures)
• Attending client sites to monitoring work practice compliance
• Providing training/raising awareness about data protection issues/priorities
• Undertaking or advising on DPIAs, security incident investigations, or rights requests
• Advising on processor contracts and sharing agreements
• Undertaking periodic data compliance audits
• Submitting periodic compliance assurance reports to senior management
• Liaison with and representing the client to the ICO and data subjects
• Testing information security controls

The DPO will also maintain or check the maintenance of:

• Information asset registers
• Appropriate privacy information
• Personal data breach logs
• Data subject rights request logs
• Information risk register
• Other elements of the information governance framework

Providing the outsourced DPO can undertake the function of a Data Protection Officer as envisaged by the law, they will work with you to design an appropriate service that meets your operational needs, your budget, and ensures you remain within the law with regard to the role and responsibilities of the DPO.

Accountability

The account support team in Leeds will send to you, at the end of every month, a statement of the time expended on the provision of the outsourced DPO service making for transparency and accountability.

Find out more >>

Free up your time without losing control of your data protection compliance!

Each engagement varies from client to client depending on many factors. Managed Data Protection contracts can be short or long and our role can be light touch or very hands-on. Each contract is, therefore, flexible and tailored to address your specific data protection management requirements. 

Service Options include:

• Developing an Information Governance and managed Data Protection strategy
• Drafting data sharing agreements with third parties
• Taking day-to-day responsibility for Data Protection compliance in the client’s organisation
• Answering information questionnaires from third parties
• Writing up and helping to implement policies and procedures about a range of IG/ DP issues
• Undertaking regular Data Protection compliance checking through internal audit
• Training staff to comply with GDPR and data protection legislation
• Attending meetings about data capture, data systems, etc
• Providing professional expert support to existing in-house resources
• Input into projects which may impact privacy
• Responding to information disclosure requests
• Carrying out information searches for subject access requests
• Testing email unsubscribe processes
• Creating and maintaining a log of IT and Data assets
• Advising/ensuring that there is a vulnerability management program on IT
• Checking that the organisational risk of data protection breaches is minimised
• Keeping a watch over Data Protection issues in the client’s industry
• Maintaining oversight of the law, guidance, and cases that may affect our client.

Complimentary DataWise Subscription

To support all managed data protection service contracts, you have access to a DataWise Subscription. 

DataWise provides complete transparency of all managed service activity via a single management dashboard, so you will have complete visibility of all our daily, weekly and yearly actions on demand.

Find out more >>

Because you can’t solve a problem you don’t know you have!

Why Complete a GDPR Gap Analysis?

The purpose is to identify areas of non-compliance in relation to privacy and information rights law including the General Data Protection Regulation [GDPR], Data Protection Act(2018) [DPA], Privacy and Electronic Communications Regulations (2003) [PECR], Freedom of Information Act [FoIA], and the Environmental Information Regulations (2004) [EIR].

How it Works?

A specialist consultant will review documentation off-site to gain an understanding of the data processing activities and to prepare for the on-site assessment. 

The on-site element of the gap analysis typically takes one day as our consultants are experienced in getting under the skin of operations and assessing compliance. They do this through conducting interviews, workshops and observation.

During this review they will also determine the extent to which the documentation meets the requirements of the legislation. This initial work is built on through a visit to your site(s) to test the extent to which your policies, processes and procedures are implemented and working effectively.

Who should you involve?

Time on site is usually spent with those responsible for information governance, IT, HR, and marketing. A facility tour is essential and we like to engage with operational teams to test their understanding of the organisation’s policies and procedures.

Report & Action Plan

Within a few weeks of the site visit you will receive a comprehensive report of our findings. The report contains a section on each of your obligations; an overview of the obligation and our findings backed up by evidence collected during the assessment. We will highlight non-compliance, provide advice about how to bring the area into compliance and make recommendations as to how these areas can be improved based on our extensive experience.

If required we will create an action plan setting out our recommendations into a prioritised time-table.

What Clients Say

"... a great tool for giving us a sense-check on where our GDPR compliance program was up to. It enabled us to take stock of progress, and re-base our action plan. It tested areas we thought were compliant and provided some excellent advise to help us move forward efficiently and quickly.”

Find out more >>

It is a legal requirement to carry out a Data Protection Impact Assessment (DPIA) in a variety of circumstances.

The DPIA Procedure

Undertaking a data protection impact assessment requires objectivity and a detachment from the data processing, and it often requires a dogmatic persistence to get to the bottom of things both with colleagues and external suppliers or partners.

Why Outsource?

Outsourcing DPIAs makes sense for most companies. Engaging experienced data privacy professionals to ask the tough questions and objectively review and present the risks can mean your internal resources are used elsewhere.  

Specialist data protection & privacy consultants are experienced in reviewing data processing operations.  They know the questions to ask and they know when they are not getting the answers they need to identify the risks.  

DPIA risk assessment experts will engage with your staff, suppliers and customer groups holding meetings, conference calls and reviewing technical documentation to ensure a thorough understanding is held of all aspects of the project, its proposed data processing activities, and compliance risks.

Find out more >>

We call this a “deep dive” as the analysis is usually narrow in focus and deep in penetration.

Deep Dive consultancy services are designed to deal with specific projects and/or to do a deep investigation of a particular Data Protection issue. This will allow you to develop a greater understanding of the issues and risks in a specific issue and to develop appropriate mitigation using expert resources.

Why do a Deep Dive?

Often information risk exists in areas where a pactice has insufficient knowledge or control over the information processes and:

• Maybe you don’t have sufficient resources to dedicate to a detailed cross-organisational or lengthy project; or,
• You don’t have the expert knowledge required in the deep dive area; or,
• You prefer an independent third party review.

Typical Deep Dive Scenarios

A good example of a deep dive audit project is when instructed to examine, map, and ensure the data privacy compliance of a consent/opt-in process for electronic marketing.

This will usually involve looking at several websites, spreadsheets, databases, and paper forms and engaging with email broadcasting, web hosting, mailing house, telesales and other companies with who you share your data. The ultimate aim is to ensure you are able to deliver your communications program, reviewing contractual arrangements or putting new agreements in place with those third parties, documenting processes, data flows, a privacy impact assessment etc. and even carrying out site inspections if required.

Other examples include:

• Analysis of Risk Register
• Procedural Framework Investigation
• Supply Chain Investigation & Review of Process and Procedures
• Staff Training & Awareness Sessions
• Using DataWise software either via a managed service or standalone subscription, the key information, findings and remedial actions from a Deep Dive investigation(s) can be integrated into the system for ongoing management and reporting purposes

Report

You receive a professional report with findings and recommendations for the specific data protection compliance issues. The report will include a detailed analysis of the data flow, highlighting areas of concern along with remedial recommendations where necessary.

Find out more >>

The supply chain review service identifies data protection and information security compliance risks and gaps within your organisation’s supply chain of data processing and sharing arrangements.

Your Obligations

As soon as you transfer personal data to a third party, you take on a compliance and information security risk that you need to ensure is adequately managed.

Supplier Assurance

It is vital your practice take steps to comply with GDPR as the GDPR legislation has led to increased penalties and the prospect of compensation for personal data breaches. These risks have naturally led to increased litigation in data supply chains where the blame for personal data breaches and security failings is pinned on the weakest link. You should undertake a supply chain review to ensure this is not your organisation.

You need to ensure that the processors you appoint and their sub-processors that you approve are reliable and safe to be trusted with your data. This supply chain review service can provide that assurance when getting it wrong can be costly.

Find out more >>

Ongoing "on tap" to help you maintain and improve your data protection compliance.

A privacy officer is a vital appointment in any organisation these days although it is often sensible and cost-effective to consider an outsourcing arrangement.

The Service

The job of the privacy officer ultimately is to ensure that your business operations are carried out in accordance with data protection legislation.  They are tasked with building resilience into your operations and building a privacy-aware culture.

Your outsourced privacy officer does this by ensuring you have implemented reliable policies and work practices that everyone is made aware of through training and awareness.  They become the point of contact internally for data protection and privacy questions ensuring an accurate and consistent approach is taken.

They will help with the appointment of data processors and the initiation of data-sharing arrangements.  They will ensure that you have evidence of handling personal data in accordance with the data protection principles and will advise on security incidents/personal data breaches and requests from data subjects to exercise their various rights such as the right to be forgotten.

Your outsourced privacy officer is backed-up by a team of consultants and support desk, so have ready access to all the resources you will need.

Find out more >>