Sampson Hall has a proven track record of working successfully throughout any sized organisation and can advise and bring together all the functions of the business in order to ensure overall and ongoing GDPR compliance.
“There is no silver bullet to ensure GDPR compliance, but arguably the biggest change is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation”. Elizabeth Denham, the UK’s Information Commissioner.
In order for organisations to achieve ongoing compliance and privacy by design and to embed this cultural shift in how everyone from the board down and throughout the organisation views and deals with personal data Sampson Hall have a range of either digital tools or briefing and training and awareness sessions, audits and Data Protection Officer Services.
Our range of comprehensive services:
Board Briefing session – a two hour session covering the basic principles of the GDPR in terms of the risks, penalties, data subject rights, including a cyber threat overview. This ensures the organisation sets the tone from the top down.
Staff Awareness and Training – sessions delivered to all staff to evidence they have been briefed on the new regulation and have an understanding and where necessary the correct knowledge and training, this will need to be evidenced and shown as part of the organisation’s ongoing training policy. This is a vital part of the cultural shift in a business as it enables every employee to understand the “why”.
GDPR e-learning – 45 minute online course that includes knowledge checks and final test.
Gap Analysis of processes and procedures – this produces a remediation/action plan and helps to identify the organisation’s current position in terms of compliance.
Data Audit – mapping and data flow – A data inventory and data flow map of your company’s personal data, which will plot data in all of its forms, origins, paths, exit points and storage locations, giving an indication of where personal data exists in your network infrastructure and devices, servers, endpoints and protocols, and all data exit points (including firewalls, printers and endpoints where sensitive information can be copied to portable media).
Data Protection Impact Assessments: Understanding how and when to use a DPIA and their usage as a risk assessment tool.
Policy and Procedural Templates: To ensure the necessary documentation and evidence of compliance
DPO requirement: To understand if a DPO is required and how they need to work in terms of access, workload, internal and external contacts.
GDPR Audit: To audit and ensure compliance when an organisation has chosen to implement the GDPR in-house.
Strategic Audit – an audit that will inform and reassure the Board as to exactly where they are on the compliance journey.
Organisational Audit – an audit that can be carried out quarterly, every six months or annually. It will measure an organisations current situation in terms of compliance and help to ensure that the GDPR has not been seen as a one off box ticking exercise and ongoing continuous improvement, measurement and analysis are taking place. Read more about GDPR Audits here…….
The first consideration in whether to appoint a DPO is establishing whether it is a statutory requirement, the GDPR requires all organisations to make a mandatory appointment of a DPO in 3 scenarios under article 37, which are stated as:
The processing is carried out by a public authority
The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to article 9 or personal data relating to criminal convictions and offences referred to in Article 10.