We are a trusted provider of outsourced DPO services to over 100 organisations
GDPR, data protection
& e-privacy experts
Expertise and support
for a low monthly cost
Ensuring you become
and remain compliant
Arrange a free, no-obligation call with one of our DPO Specialists to discuss your compliance needs, so we can get to understand your business and requirements. We’ll ask about your size, structure, management systems, working practices, culture, strategy and your specific objectives from our engagement.
We offer three packages to start from, but we know there isn’t a ‘one size fits all’ when it comes to privacy and security. Good data protection needs to be risk led and your approach to both should be aligned to your business strategy, which is why we can tailor your package to be unique to your organisation.
After our assessment of your individual needs from our initial engagement, we will tailor a package to suit, send you a Statement of Work and Proposal document. Once that has been approved, we will assign you your dedicated data protection specialist who will guide you through the next steps.
You'll get a named DPO, supported by our wider team
We'll register ourselves as your DPO with the ICO
On-demand phone, email & online access to your DPO
Prioritised support if you suffer a data breach
Help responding to data subject rights requests
Carrying out Data Protection Impact Assessments
Reviewing & creating privacy notices
Employee training & awareness
Data sharing, international transfers & processors
Legally qualified specialists & solicitors in-house
Optional security risk management support
Our DPOs include data protection lawyers, ex ICO staffers & data protection specialists with multi-industry experience in UK GDPR, EU GDPR, ePrivacy, Freedom of Information & regulatory guidance.Our consultants
Commercially aware and user-friendly guidance for core compliance. Updates and support for the latest data protection issues including Brexit, Schrems II, Covid-19, Children’s Code and Global Privacy Laws.request more information
Our DPO services also offer you the opportunity to include specialist cyber security support such as outsourced security management, penetration testing, Cyber Essentials certification & ISO 27001 readiness.Cyber Security Services
Let our team of highly qualified, experienced DPOs support you to manage your data protection obligations, working as an extended member of your team.
We promise open communication and real-world advice with no hard sell. Contact us now for a friendly chat about your organisation’s data protection compliance needs.
Personal data is information relating to an individual which allows them to be identified, either directly or indirectly. Common examples of personal data include an individual’s name, address, or identification number. Even where an individual is identified or identifiable, directly or indirectly, from the information being processed, it must relate to the individual in order for the information to be personal data.
Where you cannot directly identify an individual from information, you still need to consider whether an individual is identifiable, by considering the information being processed together with all the means reasonably likely to be used in order to identify individuals. For example, if somebody found a bank account number written down on a piece of paper in a café without a name or identified financial institution this could be considered anonymous. By contrast, a bank account number provided to someone working in the relevant bank to which the account number relates will be personal data if they have access to systems that can link the account number to the account holder.
Personal data can also include special categories of data such as information relating to an individual’s ethnicity, health and sexual orientation. There are stricter rules governing how special category data is obtained and used by organisations, due to the sensitivity of the information.
For more information on what constitutes personal data and some examples of how it is used, you can read our blog on personal data here.
If a business uses personal information during the normal running of its business, then the UK GDPR is likely to apply. Under the UK GDPR, organisations must embed data protection compliance into all of their processing activities. This approach is referred to as ‘data protection’ by design and by default and is a key aspect of the UK GDPR’s risk-based approach and emphasis on accountability.
Fundamentally, companies must implement appropriate technical and organisational measures that will ensure that their use of personal data is compliant with the UK GDPR’s seven ‘processing principles’. These principles oblige organisations that are handling data to do so in a way that protects the rights of individuals. The 7 principles organisations must comply with are:
Not every organisation needs to appoint a DPO. Under the UK GDPR, you must appoint a DPO if your organisation:
A group of undertakings may appoint a single DPO, providing they can be easily accessed by each entity. A DPO does not have to be an individual, it can be a company or an organisation too, meaning an organisation can outsource its DPO role to a third party.
Even if you aren’t required to appoint a DPO, you can make a voluntary appointment of a DPO. However, please note that the same requirements of the position under the UK GDPR still apply as if the appointment was mandatory. If you decide that you don’t need to appoint a DPO, either voluntarily or because you don’t meet the above criteria, it’s still a good idea to record this decision to help demonstrate compliance with the accountability principle.
Irrespective of whether it is mandatory for you to appoint a DPO, you must ensure that your organisation has sufficient staff and resources to meet your obligations under the UK GDPR.
The UK GDPR applies to all organisations that process personal data regardless of the size of the organisation. Therefore, even if you are a sole trader as long as you are processing personal information, the UK GDPR will apply to your organisation. This ensures that everyone’s data is used properly and fairly, preventing situations where personal data can be used wrongly or for harmful purposes such as identity theft and discrimination.
The likelihood is that even small organisations will store and use personal data about employees, customers, or suppliers on a regular basis, and therefore will need to comply with UK data protection laws. Even if a business doesn’t employ any staff, data protection legislation is very likely to still apply as in many organisations there are likely to be emailed with personal data and other documents containing personal data to which the UK GDPR will apply.
Small businesses generally have fewer obligations under the UK GDPR. For example, those with less than 250 employees are not obliged to keep a record of processing activities. However, the 7 core data protection principles will apply regardless of the size of the organisation. As a result, a small organisation will be required to adopt a data protection by design approach and implement appropriate technical and organisational measures to meet the UK GDPR’s requirement. This could include potentially needing to appoint a DPO depending on the nature of the organisation’s processing activity.
Under the UK GDPR, individuals have a number of individual rights including a right of access which gives individuals a right to obtain a copy of their personal data from organisations processing their personal data. The right of access is not a new right under the UK GDPR and is commonly referred to as a subject access request (‘SAR’).
Where an individual makes a SAR, they are entitled to a copy of their information and supplementary information such as an organisation’s purposes for processing their data and who the organisation has shared their data with (if anybody).
A SAR can be made verbally or in writing, including on social media. An individual does not need to explicitly say they are making a SAR or access request, refer to legislation or direct the request to a specific contact, it just needs to be clear that they are asking for their personal data for the request to be valid.
A third party can also make a request on an individual’s behalf (e.g. a solicitor or relative) as long as authority from the third party has been obtained by the organisation to establish that the third party making the request is entitled to act on behalf of the individual.
Generally, organisations, must respond to a SAR within 1 month, free of charge. In limited circumstances, for example, where a request is considered excessive, this period can be extended by up to 2 months and it may be possible to charge a reasonable fee for copies of the information.
There are some limited exemptions that allow businesses to refuse to supply some or all of the information that was requested. For example, if providing the information may adversely affect the rights of others, an organisation can refuse to supply some or all the data. Also, another example is, where an organisation is in negotiations with an individual, for instance in respect of an individual’s redundancy, an organisation can refuse to comply with a request for papers detailing the company’s rationale for reaching a redundancy settlement if complying with a request will prejudice the redundancy negotiations. In any event, any intention not to comply completely with an individual’s SAR should be communicated to them at an early stage. Businesses must be careful in applying these exemptions and should consider whether they apply on a case-by-case basis as opposed to taking a blanket approach.
Further detailed guidance on SARs can be found here.
Organisations need to consider data protection when engaging new suppliers if the supplier is going to be processing personal data. The supplier’s ability to evidence its data protection compliance should form a fundamental part of any supplier’s due diligence. This could involve the use of risk assessments and Data Protection Impact Assessments to ensure that the new supplier will handle personal data with the utmost care.
Important questions to ask of suppliers include whether the supplier holds any industry certifications, establish where data is located, how the supplier would respond to data breaches, and whether they share personal data with any other third parties. Essentially, organisations should establish that a supplier meets the UK GDPR’s requirements before using the supplier’s services.
In addition, organisations must enter into a written agreement with any suppliers processing personal data and make sure that any contract includes all the relevant data protection clauses prescribed by the UK GDPR. For instance, agreements should clearly set out the purpose and categories of any personal data that may be processed by the supplier, and the parties’ obligations for different processing activities.
Performing thorough due diligence at the outset of a project will allow an organisation to identify and mitigate any issues early on which should mean retrofitting costs are avoided post-implementation of a business change/project.
Trusted by clients from across numerous sectors, including businesses, charities and public sector organisations