Given the evolving nature of the GDPR and complexity of its interpretation, many businesses would not have the immediate resource to effectively undertake this Data Protection Officer role. Consider for example, would your organisation be able to:
The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public
authority or body, or if you carry out certain types of processing activities.
DPOs assist you to monitor internal compliance, inform and advise on your data protection
obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a
contact point for data subjects and the supervisory authority.
The DPO must be independent, an expert in data protection, adequately resourced, and report to the
highest management level.
A DPO can be an existing employee or externally appointed. In some cases several organisations can appoint a single DPO between them.
DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
DPO Core – £595 + vat per month
DPO Plus – £795 + vat per month
DPO Pro – £1500 + vat per month
All contracts are subject to a minimum 12-month contract term with 10% discount offered on 24-month contracts.
Access to one of Sampson Hall’s virtual DPO’s allows you to subscribe to a monthly service giving you access to an accredited EU GDPR Practitioner via telephone or email to provide initial expert guidance and advice on data protection and GDPR related questions within your business, through a cost effective managed service.
The DPO is required to have access to all areas of an organisation without a conflict of interest (Article 38 (6)), work independently without instruction (Article 38 (3)) and will require detailed expertise in European data protection legislation to fulfil the role. When engaging the Sampson Hall outsourced DPO service we will assign you a specific EU GDPR practitioner that is accredited to ISO17024 standards, who will work closely with your organisation to monitor/inform/advise of ongoing GDPR compliance.
The GDPR requires that “the controller shall seek out the advice of a Data Protection Officer, where designated when carrying out a Data Protection Impact Assessment” (Article 35) When an organisation identifies the requirement for a DPIA the Sampson Hall DPO will consult on the assessment in line with the regulation when looking to implement a new project or initiative.
As emerging case law further defines the interpretation and application of GDPR, the very nature of the regulation will be subject to change as it is interpreted, derogations are set and amended in different member states (Articles 85-91). Ensure that your organisation is kept up to date with the ever changing GDPR landscape via Sampson Hall notifications.
Depending on your service plan, Sampson Hall will conduct onsite audits at regular intervals to ensure that compliance is being applied, unforeseen risks are identified and manged accordingly. The Data Protection Officer audit team will examine documentation, review organisational processes and conduct key staff meetings where applicable. (1 day is required for the audit) Read more about audit services…….
DSARs handed to organisations will be presented in a variety of guises for example; a disgruntled ex-employee wanting their personnel records, possibly a competitor wishing to disrupt operations or simply a customer enquiring what personal data you hold. The Sampson Hall Data Protection Officer will advise on the management of how to handle DSARs, covering areas which could range from:
All staff new or existing staff can be your greatest asset however, also your greatest risk due to the personal data they will encounter throughout the course of their duties. Sampson Hall provide expert education and awareness sessions on the evolving regulations (frequency based on your service plan) to ensure that all staff are trained in how to identify personal data within their remits and the organisational processes required to be compliant in line with GDPR. (3-hour session for up to 30 staff)
The initial challenge organisations face is determining how to proceed when a breach has occurred. Under GDPR, you have 72 hours in which to notify the ICO once you have discovered a breach, however not all breaches are notifiable if they are not likely to impact the rights and freedoms of individuals, which presents significant challenges when deciding if this is the case without possessing expert knowledge and support.
Your Sampson Hall Data Protection Officer (DPO) will advise and guide you in determining the circumstances surrounding the breach and whether the ICO need to be notified. Our expertise as certified GDPR practitioners will act as your organisation’s main point of contact with the supervisory authority and data subjects, who also need to be contacted directly when a “high risk” breach occurs, without undue delay.
During a breach investigation the source and nature of the breach may not be immediately apparent and as such has the scope to increase in complexity within a short time frame.
The DPO will be required to make necessary site visits to conduct further investigations and to guide the organisation through this turbulent period.
We will help you understand the nature of the incident in relation to the regulation, the required communication with both internal and external parties and provide clarity on the action required to recover from a breach.
Identifying, managing and ultimately reducing risk is a key component of an organisation’s GDPR journey. The DPO will consult with your organisation to compile a centralised register of GDPR privacy risks, scoring those risks appropriately according to the organisational risk appetite and the resulting action required on their resolution as part of a wider compliance framework.
Sampson Hall will deliver a report to the board on the organisation’s current compliance relation to GDPR, outlining:
The GDPR holds those at the top of an organisation responsible for it’s compliance through proper governance. If an organisation is non-compliant at worst it could be subject to significant fines of up to 4% of global turnover or 20million euros whichever is greater, but an organisation may also suffer organisational sanctions and the resulting reputational damage which can be crippling.
Sampson Hall will provide a comprehensive onsite board brief on your GDPR compliance status. The brief will highlight the current risks involved, the importance of good governance in GDPR compliance, which will ultimately help enhance the organisations’ public image and install a confidence that consumers data is being handled appropriately.
For more information contact:
Alasdair Cameron – firstname.lastname@example.org or Michael Stradling – email@example.com or phone 0844 848 9594