request free consultation

Why Use Evalian® For Data Protection Services?

Evalian Expertise


GDPR, data protection
& e-privacy experts

Industry Expertise


Expertise and support
for a low monthly cost

Trusted Edvisors Evalian

Trusted Advisors

Ensuring you become
and remain compliant

Evalian are experienced


Commercially aware,
real-world guidance

Data protection, privacy and respect for the personal data you collect are becoming critical to your bottom line. Whether you’re a small organisation, a fast-growing business or an international group of companies, our data protection services can help.

We are a trusted provider of outsourced Data Protection Services to over 300 organisationsDPO Logos Grey 1


Our consultants can help demystify your obligations & improve your compliance with GDPR, the Data Protection Act 2018, PECR & overseas privacy laws.


We don’t just advise, though. We will also roll up our sleeves & get stuck in, working as an extended member of your team & support you throughout.


Three Steps To Your Bespoke Offer:

Step 1 Evalian DPO

Step 1: Get In Touch

Arrange a free, no-obligation call with one of our DPO Specialists to discuss your compliance needs, so we can get to understand your business and requirements. We’ll ask about your size, structure, management systems, working practices, culture, strategy and your specific objectives from our engagement.


Or call 03330 500 111

Step 2 Evalian DPO

Step 2: Tailor Your Package

We offer three packages to start from, but we know there isn’t a ‘one size fits all’ when it comes to privacy and security. Good data protection needs to be risk led and your approach to both should be aligned to your business strategy, which is why we can tailor your package to be unique to your organisation.


Step 3 Evalian DPO

Step 3: Secure Your Quote

After our assessment of your individual needs from our initial engagement, we will tailor a package to suit, send you a Statement of Work and Proposal document. Once that has been approved, we will assign you your dedicated data protection specialist who will guide you through the next steps.


Our Comprehensive Data Protection Services Include:

DPO white

Named DPO

You'll get a named DPO, supported by our wider team

Legal Services White

ICO Registration

We'll register ourselves as your DPO with the ICO

On Demand white


On-demand phone, email & online access to your DPO

Breach white

Breach Response

Prioritised support if you suffer a data breach

Email Phishing Assessment white

SAR Support

Help responding to data subject rights requests

DPIA white

DPIA Preparation

Carrying out Data Protection Impact Assessments

Privacy Notice white

Privacy Notices

Reviewing & creating privacy notices

Policy whit

Policy Creation

Privacy policy creation & supporting procedures

Awareness White

Awareness Training

Employee training & awareness

Transfers white

Data Transfers

Data sharing, international transfers & processors

Legal Support 1

Legal Support

Legally qualified specialists & solicitors in-house

Security white

Security Advice

Optional security risk management support

What Makes Our Service Unique?

Head of Data Protection practice, Ray Orife, discusses the most common question clients ask, what the AI landscape looks like for data protection and what makes Evalian’s data protection services unique.

Got another question? Call us today – we’d be happy to guide you.

0808 506 3501

Evalian DPO/GDPR Services - Find Out More

  • This field is for validation purposes and should be left unchanged.

View Our Data Protection Services

Don’t Just Take Our Word For It:

Testimonial 1 Clear
Testimonial 5 Clear
Testimonial 2 Clear
Testimonial 6 clear
Testimonial 3 Clear
Testimonial 8 Clear
Testimonial 4 Clear
Testimonial 7 clear
SAR Test 0
SAR Test 1
SAR Test 4
SAR Test 3
SAR Test 6
SAR Test 5
Polyco Testimonial Evalian
Cappfinity testimonial


What is personal data?

Personal data is information relating to an individual which allows them to be identified, either directly or indirectly. Common examples of personal data include an individual’s name, address, or identification number. Even where an individual is identified or identifiable, directly or indirectly, from the information being processed, it must relate to the individual in order for the information to be personal data.

Personal Data

Where you cannot directly identify an individual from information, you still need to consider whether an individual is identifiable, by considering the information being processed together with all the means reasonably likely to be used in order to identify individuals. For example, if somebody found a bank account number written down on a piece of paper in a café without a name or identified financial institution this could be considered anonymous. By contrast, a bank account number provided to someone working in the relevant bank to which the account number relates will be personal data if they have access to systems that can link the account number to the account holder.

Personal data can also include special categories of data such as information relating to an individual’s ethnicity, health and sexual orientation. There are stricter rules governing how special category data is obtained and used by organisations, due to the sensitivity of the information.

For more information on what constitutes personal data and some examples of how it is used, you can read our blog on personal data here.​

What responsibilities do companies have under the GDPR?

If a business uses personal information during the normal running of its business, then the UK GDPR is likely to apply. Under the UK GDPR, organisations must embed data protection compliance into all of their processing activities. This approach is referred to as ‘data protection’ by design and by default and is a key aspect of the UK GDPR’s risk-based approach and emphasis on accountability.

Fundamentally, companies must implement appropriate technical and organisational measures that will ensure that their use of personal data is compliant with the UK GDPR’s seven ‘processing principles’, this is where using outsourced data protection services can be hugely beneficial. These principles oblige organisations that are handling data to do so in a way that protects the rights of individuals. The 7 principles organisations must comply with are:


  1. Lawfulness, fairness and transparency – be fair and transparent, so inform individuals on what they are doing with individuals’ data.
  2. Purpose limitation – only use the data for a specific purpose.
  3. Data minimisation – only collect and use the information required to fulfil a specific purpose for processing the data.
  4. Accuracy – ensure there are processes in place to maintain the accuracy of personal information.
  5. Storage limitation – only keep data as long as necessary; organisations must be able to justify how long they retain personal data. As a result, in certain circumstances, a detailed assessment may be required to set retention periods.
  6. Integrity and confidentiality (security) – ensure there are appropriate security measures in place based on the nature of the processing activity. For instance, if an organisation is processing large amounts of special category data you should have more robust security measures in place than an organisation that is only processing basic contact information.
  7. Accountability – you should be able to evidence how you comply with the above six principles. For example, by demonstrating you have buy-in to data protection compliance across your organisation and can evidence your organisation’s compliance with your data protection policies. More guidance on ensuring accountability within your organisation can be found in the ICO guidance.

Must all organisations appoint a Data Protection Officer (DPO)?

Not every organisation needs to appoint a DPO. Under the UK GDPR, you must appoint a DPO if your organisation:

DPO appoint

  • is a public authority or body (except for courts acting in their judicial capacity);
  • as part of its core activities, is regularly, systematically monitoring individuals on a large scale (for example, location-based services). An organisation’s core activities are their primary business activities. As such, if you need to process personal data to achieve a key business objective, this will be a core activity; or
  • is processing special categories of data or data relating to criminal convictions and offences on a large scale.

A group of undertakings may appoint a single DPO, providing they can be easily accessed by each entity. A DPO does not have to be an individual, it can be a company or an organisation too, meaning an organisation can outsource its DPO role to a third party.

Even if you aren’t required to appoint a DPO, you can make a voluntary appointment of a DPO. However, please note that the same requirements of the position under the UK GDPR still apply as if the appointment was mandatory. If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s still a good idea to record this decision to help demonstrate compliance with the accountability principle.

Irrespective of whether it is mandatory for you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to meet your obligations under the UK GDPR.

To understand more on whether you need to appoint a DPO, please see here. We also have a useful blog on the topic – Should you outsource your DPO?

We are a very small company – does the UK GDPR apply to us?

The UK GDPR applies to all organisations that process personal data regardless of the size of the organisation. Therefore, even if you are a sole trader as long as you are processing personal information, the UK GDPR will apply to your organisation. This ensures that everyone’s data is used properly and fairly, preventing situations where personal data can be used wrongly or for harmful purposes such as identity theft and discrimination.

The likelihood is that even small organisations will store and use personal data about employees, customers, or suppliers on a regular basis, and therefore will need to comply with UK data protection laws. Even if a business doesn’t employ any staff, data protection legislation is very likely to still apply as in many organisations there are likely to be emailed with personal data and other documents containing personal data to which the UK GDPR will apply.

Small businesses generally have fewer obligations under the UK GDPR. For example, those with less than 250 employees are not obliged to keep a record of processing activities. However, the 7 core data protection principles will apply regardless of the size of the organisation. As a result, a small organisation will be required to adopt a data protection by design approach and implement appropriate technical and organisational measures to meet the UK GDPR’s requirement. This could include potentially needing to appoint a DPO depending on the nature of the organisation’s processing activity.

For further guidance for smaller organisations, please see here, or read our blog on GDPR for small businesses. 

What is the right of access?

Under the UK GDPR, individuals have a number of individual rights including a right of access which gives individuals a right to obtain a copy of their personal data from organisations processing their personal data. The right of access is not a new right under the UK GDPR and is commonly referred to as a subject access request (‘SAR’).

Where an individual makes a SAR, they are entitled to a copy of their information and supplementary information such as an organisation’s purposes for processing their data and who the organisation has shared their data with (if anybody).

Subject Access Request

A SAR can be made verbally or in writing, including on social media. An individual does not need to explicitly say they are making a SAR or access request, refer to legislation or direct the request to a specific contact, it just needs to be clear that they are asking for their personal data for the request to be valid.

A third party can also make a request on an individual’s behalf (e.g. a solicitor or relative) as long as authority from the third party has been obtained by the organisation to establish that the third party making the request is entitled to act on behalf of the individual.

Generally, organisations, must respond to a SAR within 1 month, free of charge. In limited circumstances, for example, where a request is considered excessive, this period can be extended by up to 2 months and it may be possible to charge a reasonable fee for copies of the information.

There are some limited exemptions that allow businesses to refuse to supply some or all of the information that was requested. For example, if providing the information may adversely affect the rights of others, an organisation can refuse to supply some or all the data. Also, another example is, where an organisation is in negotiations with an individual, for instance in respect of an individual’s redundancy, an organisation can refuse to comply with a request for papers detailing the company’s rationale for reaching a redundancy settlement if complying with a request will prejudice the redundancy negotiations. In any event, any intention not to comply completely with an individual’s SAR should be communicated to them at an early stage. Businesses must be careful in applying these exemptions and should consider whether they apply on a case-by-case basis as opposed to taking a blanket approach.

Further detailed guidance on SARs can be found here.

Does our organisation need to consider data protection when we engage a new supplier?


Organisations need to consider data protection when engaging new suppliers if the supplier is going to be processing personal data. The supplier’s ability to evidence its data protection compliance should form a fundamental part of any supplier’s due diligence. This could involve the use of risk assessments and Data Protection Impact Assessments to ensure that the new supplier will handle personal data with the utmost care.

Important questions to ask of suppliers include whether the supplier holds any industry certifications, establish where data is located, how the supplier would respond to data breaches, and whether they share personal data with any other third parties. Essentially, organisations should establish that a supplier meets the UK GDPR’s requirements before using the supplier’s services.

In addition, organisations must enter into a written agreement with any suppliers processing personal data and make sure that any contract includes all the relevant data protection clauses prescribed by the UK GDPR. For instance, agreements should clearly set out the purpose and categories of any personal data that may be processed by the supplier, and the parties’ obligations for different processing activities.

Performing thorough due diligence at the outset of a project will allow an organisation to identify and mitigate any issues early on which should mean retrofitting costs are avoided post-implementation of a business change/project.​​

Trusted by clients from across numerous sectors, including businesses, charities and public sector organisations

Evalian DPO clients 22


Interested In Our Data Protection Services?

Contact us now for a friendly, no-obligation discussion or to request more information about our outsourced DPO or GDPR compliance services. We’re in London, Southampton, the Midlands and North West and support clients across the UK and globally.

Contact us

Our Accreditations

DPO Certifications and accreditations