What challenges were you and your team experiencing prior to working with us – what prompted you to seek a solution? We wanted to continue to build on the foundations I laid within the company. The authorities we work with are known for scrutinising suppliers with regards to data protection, and rightly so, particularly when the data is as sensitive as in our instance.
The business wanted me to be DPO, but I was not able to due to my role within IT, I source systems and manage and audit those systems, so if there was ever a breach it would be a conflict of interest, and there was no one else in the business who had that skillset. When I joined there was no architecture around Information governance. I was able to do some of the work around GDPR but we needed a DPO to take us forward in regards to the reassurance that we are compliant.
How did you go about searching for the solution and services? We went to tender and narrowed it down to three suppliers. Following one-to-ones with all three, we landed on the decision that DPO as a service would be the right way forward for our business. We could dip in and out as and when needed. It was also commercially more viable as a service, rather than taking on an in-house DPO.
Please describe the reasons you decided to work with us. We looked overseas in Germany at a company that offered DPO as a service. But although Evalian wasn’t necessarily the lowest price, from my initial conversations with the commercial director, I felt that Evalian would provide the right solution to us and that it would be sufficiently complete in terms of the service without being overbearing on the business.
Did you have any expectations going into the process? In my last role, I was DPO for the business and had gone through numerous assurance and compliance pieces. So I was familiar with governance frameworks and responsible for making sure the business understood GDPR etc. Evalian has definitely met my expectations, and the support we’ve had to create the documentation we need has been really valuable. We’ve even done some documents in real-time with our consultant – for example, two DPIAS, so it’s becoming second nature within the business.
Can you describe the process we took your business through and anything you learnt about your own business through working this way? The Gap Analysis Evalian conducted, confirmed that we have a high assurance on accountability and privacy notices which were very reassuring.
Evalian supported us in reinforcing and putting more structure around our compliance framework. Our designated consultant has given me the support I needed to reinforce the GDPR information governance requirements, and I see Evalian as my “partner in crime” so to speak – rather than it coming from just me within the business, we now have Evalian as our expert and from a legal standpoint, saying “you need to have this” and “you need to do this”.
The business has been able to understand and change our processes around breach management. Evalian has also supported us in the creation of DPIAs and a revised DSAR procedure which is something we would never have gotten around to. It’s reinforced that peace of mind that as long as the procedures are there and can hold up, you’re removing the risk factor as a business.
Were there any challenges you found along the way and how did you feel we or your consultant, helped to support you through that? Resources have always been my biggest challenge – my time is split across many areas, so it can be a challenge meeting some of the time frames, but those challenges are understood by Evalian® and risk-managed.
What has been the most significant achievement for your business facilitated by working with us? The creation of the information governance framework, creation of the steering group and review of policies and procedures. It’s been really helpful being able to use a third party rather than all of those matters coming to one person such as myself and we are supported with better responses and guidance from real data protection experts.
What impact has the results from working with us had on your clients/stakeholders? It’s given us reassurance from a management point of view. It gives our customers reassurance in having that DPO presence within the business. In having an external DPO as a service, we are getting much more from the service, we have the flexibility to call upon all the different advice groups. It’s helpful from an internal customer perspective in terms of privacy matters – like understanding how we use people’s data. They can come to a DPO, a recognised individual. Evalian has given us a second opinion and supported us with how we present some of the forms and policies that we have in place. The advice Evalian gives us is invaluable, particularly on some data subject matters that we’ve had, due to the sensitive nature of our business.
Click here to learn more about our Outsourced DPO Services: