What challenges were you and your team experiencing prior to working with us – what prompted you to seek a solution? The answer is multi-faceted really. There were several factors that drove the requirement for an external DPO. 2021 was a pivotal time for Bamboo PR. We had just come out of the other side of Covid and client changes meant we had no choice but to scale our team back to three people, as many organisations did during that period.
Additionally, our business model and future vision had to be entirely rebuilt due to some difficult circumstances, sadly outside of our control, and I took over the day-to-day management of our business before purchasing the company in April 2022. I had never run my own business before, I didn’t know how to be a leader in many areas, and what followed was an exceptionally steep learning curve as I came to understand my obligations as an employer.
Fortunately, our industry bounced back as businesses saw the benefits agencies like ours offer, and I started to find my feet. We won new clients, and so we began hiring as quickly as we could.
It became apparent mid-way through the year that our efforts to comply with GDPR were becoming trickier to do in-house due to resources and time, but I knew at this point we needed to pay more attention to those areas. I also felt it was important to conduct an extensive review of our business once our ownership change was complete.
From a personal perspective, it’s been a rollercoaster of emotions for many reasons. I adopted the mentality of “let’s presume nothing is sacred, let’s build on what we have in terms of data protection but let’s get someone to come in and tell us where we can be stronger without any judgment.”
Once I took over the business formally in April this year, I proceeded with our data protection review, as we process and control substantial data. GDPR is as overwhelming as it is complex to anyone who isn’t versed in that subject. I knew we needed assistance to ensure our team are supported in their efforts, and equally, to provide the best service for our clients.
If you’re experiencing similar challenges within your organisation and you’re unsure whether to hire a DPO internally or to outsource, we have a really useful article that will help you make that decision: Should you outsource your DPO?
How did you go about searching for the solution and services? I did some initial research and noticed a few cybersecurity companies trying to add data protection services on top of what they specialised in, which didn’t sit well with me. I wanted someone with clear attention to detail, respect for the regulation and a team with experience in helping businesses of all sizes. This is what led me to Evalian®.
Please describe the reasons you decided to work with us. I was really happy with how Evalian’s commercial director, Chris, listened and understood our business and the (at times turbulent) journey we had been on to get to this point. There was no judgement at all, which meant I felt comfortable being open about the state of our business. Evalian® acted professionally and with great transparency.
We wanted to onboard a data protection partner who felt right for us, and similarly, us be right for them. I love what I get working with the Evalian® team. I looked for a partner who could support us and who had real tangible experience as well as legal capability.
We have an HR partner who operates along the same lines as Evalian®, in that they’re readily available and can have conversations on a call rather than solely via email correspondence. It’s important for me to be able to talk to a person to clarify my thinking about certain topics.
At the risk of sounding cliché, I truly feel like they’re an extension of our team.
Did you have any expectations going into the process? Having had no experience with data protection suppliers prior, I didn’t have any expectations. In 2018, like every company, we did everything we could and interpreted what we needed to comply with GDPR. As time went on, and businesses went through a complete transformation, utilising more digital services, I knew we needed extra support.
What I wasn’t prepared for, however, was realising how other organisations differ when it comes to data protection and GDPR compliance. Understanding that we are a key component in many data processing chains has meant that I am now hyper-aware of what good data protection looks like, in ourselves as well as other organisations.
Can you describe the process we took your business through and anything you learnt about your own business through working this way? As the engagement has progressed, it’s become clear to me that when it comes to data protection and compliance, slow and steady wins the race.
It’s not something to be rushed, and rather something that evolves as the business grows. I’ve also realised that just because we are a small company doesn’t mean we should take any less care over the data we process, and doesn’t make us any less at risk of a breach.
The initial remedial plan was clear and organised – I really liked that, I’m a very “by-the-book” person and I like comprehensive and clear plans.
Were there any challenges you found along the way and how did you feel we or your consultant, helped to support you through that? There were no major challenges particularly, but I’m someone that really likes to understand a subject and learn as much as I can. So, when our Evalian® consultant, Isabela, had gone through the remediation report with me, I wanted to get to grips with how our organisation looked compliance-wise, i.e. were we in a good place / were the actions we needed to take drastic?
Isabela was honest and told us that while there were a few areas we needed to improve on, it was absolutely doable and reassured us. I appreciated that open communication and the pragmatic advice from Evalian® “You’ve got a few things to do, nothing to panic about”.
Data protection was quite intimidating and new to me. I was very conscious of the legal ramifications of a breach. I wouldn’t say I lost sleep over it, but I do think about this topic a lot and I now feel calmer due to the reliable support we get from Evalian®.
It felt like a final gap in our support network was filled. Even though data protection will continue to evolve, I am confident in our efforts to face future challenges head-on.
What changes did you make as a result of working with us? We now have a solid awareness when it comes to compliance. We have a mindset from top to bottom which is far more “data protection-focused”. I think that data protection really does need to have buy-in from the top, and having my team see how invested I am has made the whole process much easier. We’re all on the same page.
Evalian® has supported us in implementing updated policies and procedures, which provide the structure to enable that mindset, which is extremely valuable. Not only do we have up-to-date documentation, but this has also improved how we run our business in different ways.
The data protection training was great – we loved the platform, and our team especially liked that they could dip in and out of it.
When it comes to suppliers and partners, we feel we would now be able to identify those who are solid in their security posture and compliance and those who might be riskier, which will cause us to pause when onboarding in future.
What impact has the results from working with us had for you/your team? Coming through the latter couple of years, it was important to me and our team to feel like we have a solid support network. We are now in a place where I really believe we do have that, thanks to our chosen suppliers.
I think the biggest impact has been the shift in our mindset. Knowing we have some GDPR knowledge we can build on and refreshed cybersecurity training in the pipeline, we feel we’re in a solid place.
The team ask more questions and we take accountability. Such is the nature of business, people will always remain the biggest weakness within the context of data protection, so by ensuring we have a team that is open to learning more about cyber awareness and building on their data protection knowledge, we can only become stronger.
What impact has the results from working with us had on your clients/stakeholders? In terms of clients, we still just have one phrase we start any engagement with, “can we make sure we’re supporting them in a way that’s valuable and clear?”. I feel like we can provide a better service knowing we have a reliable and robust compliance structure in place and we’re less of a risk in their own chains.
I was worried about bombarding our clients out of the blue with data policies, but Evalian® have helped us to figure out a way to communicate our new documentation in a suitable manner. It’s that problem-solving aspect that has really stood out to me when working with the team.
What do you hope to achieve in your future working relationship with us? After having been through the GDPR training course, we are now working with Evalian® on revamping our cyber security awareness training. The feedback from our team was positive and so I’m eager to build on that awareness and pair it with some cyber security knowledge which I’m confident Evalian® can effectively provide us with.