Data Protection Support & GDPR Consultancy

GDPR Policies & Procedures

Drafting and maintaining a library of Data Protection / GDPR related documentation is the starting point on the road to GDPR compliance for many organisations.

Both the Data Protection Commissioner in Ireland, and the Information Commissioner in the UK have stated that they will expect organisations to be able to demonstrate that they are complying with the GDPR. How can an organisation demonstrate that they are complying?

We have assisted many organisations in reporting data breaches to their relevant statutory authority. On many occasions, that statutory authority has requested that the organisation provide copies of relevant policy documents for review. Obviously, if the organisation does not have these policy documents, then they cannot demonstrate how they are complying with the GDPR.

Many organisations at this juncture will scour the internet for policies and will copy and paste the policy, add their logo and send this off to the statutory authority. This is where the real problems can begin.

Policies that are copy / pasted from other organisations will have little or no meaning or relevance to your organisation and therefore, are of little or no value.

XpertDPO will spend the time to get to know your organisation and to learn how you operate and then we will draft meaningful and relevant all of the GDPR compliance related documentation that you require.

Data Protection Support & GDPR Consultancy

Data Security Breach Management

The majority of organisations will experience an information security breach at some point in time. Dealing with information security breaches is time consuming, stressful, and complex. How your organisation responds to the information security breach, how quickly you act to mitigate or resolve the information security breach and how you communicate this breach to your relevant statutory authority and / or the affected data subjects is critical in order to avoid that earth ending asteroid that is plummeting towards your organisation. Taking the correct steps at the right time is critical to minimise or avoid the serious consequences that are a possibility including reputational damage, statutory investigation, litigation and penalties and fines.

XpertDPO will assist you in protecting your brand, reputation and your clients throughout an information security breach.

How can XpertDPO help?

Our incident response experts will assist you in breach containment, crisis management, forensic examination, notification of data subjects & statutory authorities.

We achieve this by:

Data Protection Support & GDPR Consultancy

Data Subject Access Rights Management Services

Following the implementation of the GDPR, there are enhanced rights for all data subjects. It is a misconception that Data Subject Access became a ‘thing’ due to the GDPR. There are some new rights (The Right to Deletion and The Right to Portability) but the existing rights have been available to data subjects since the early 1980’s.

Our data protection experts can help you understand your organisation’s new and increased obligations to individuals whose personal data you are processing.

Collating all the relevant information in relation to the data subject, in order to respond to DSARs can be extremely challenging, stressful and time-consuming. It is imperative that the data subject’s identity must be verified, data should be screened and third-party consent may need to be obtained.

Outsourcing this requirement to XpertDPO will allow your organisation to concentrate on your core business objectives, while maintaining compliance with the GDPR and fulfilling your DSAR obligations as required.

XpertDPO will support you throughout this complex process. DSARs are processed by a team with extensive experience dealing with such requests. 

Dedicated DSAR support for the process from XpertDPO covers all areas of the DSAR process:

Depending on your needs, we can deliver this service to your organisation on-site or remotely, or a combination of both. Your DSAR support can be either fully outsourced to XpertDPO or we can support your in-house team as and when required.

XpertDPO can help you develop a DSAR process to be run “in-house” or you can outsource specific DSARs to us and we can manage the entire process for you.

Data Protection Support & GDPR Consultancy

Article 30 Records of Processing Activity (RoPA)

Article 30 of the GDPR requires organisations to create and maintain a record of processing activity (ROPA). The ROPA includes a comprehensive overview of processing activities and the most important details about them and must be made available upon the request of a supervisory authority. The ROPA demonstrates your organisation’s GDPR compliance and therefore it is extremely important that it is well-managed and organised.

The obligation to create and maintain a ROPA applies to the majority of controllers and processors, and – for non-EU companies – their EU representatives.

A widespread misconception concerning ROPAs is that this duty applies to large companies only. While companies with more than 250 employees must indeed always keep a ROPA, those with fewer than 250 employees are exempt from holding a record, if one of these factors apply:

The processing is not likely to pose a risk to the rights and freedom of the data subject.

Organisations can assess a likely risk for data subjects by taking into account the nature, scope, context and purposes for processing, as well as the varying likelihood and severity of risks. Examples include geolocation systems and video surveillance.

If no special categories of data are processed.

Special categories of data include, for instance, data concerning criminal records, religious affiliations as well as health data of employees. Most companies will process sick certificates, and other information of employees falling under this category.

If the processing is done only occasionally.

Data processing can be occasional if it plays a subordinate role in the activity and only occurs for a very short time or once. An example would be a company informing clients of a change of address in case of relocation. On the contrary, daily activities of organisations like customer management or salary management are not occasional.

In practise, most organisations, regardless of whether or not they employ more than 250 staff, will be required to draft and maintain a ROPA. As in almost every organisation, some processing takes place on a structural basis. Also, it is not unlikely for companies to process special categories of data, especially in the context of human resources.

For reasons of accountability and transparency, data controllers must ensure that they have a structured data protection documentation library. It not only ensures transparency of data processing but also enables the data protection officer (DPO), EU representative and statutory authorities to perform their duties well. In a nutshell, ROPA demonstrates whether a company is GDPR compliant. Furthermore, a ROPA is crucial for the preparation of data protection impact assessments (DPIA).

While the building of a complete list of processing activities is often a complicated and time-consuming task for organisations, the creation and maintenance of a ROPA can prove to be beneficial for several reasons. It facilitates a prompt and accurate response to potential data subject requests when the information is readily available while establishing an efficient data erasure schedule to avoid a bulk of unnecessary personal data. It allows an organisation to identify future possible risks and take steps to mitigate them.

How can XpertDPO help?

Data Protection Support & GDPR Consultancy

Data Protection Impact Assessments (DPIAs)

The General Data Protection Regulation (GDPR) requires organisations to carry out a Data Protection Impact Assessment (DPIA) under certain circumstances. A DPIA is basically a risk assessment that your organisation should carry out on any new risks that arise from the processing of personal data. Generally, a DPIA should be carried out before your organisation begins processing personal data in a new way.

A DPIA is a process which aims to identify risks arising out of the processing of personal data and to minimise or mitigate those risks where possible. DPIAs are a vital tool for demonstrating compliance with the GDPR and also for reducing risk of non-compliance and possible sanctions.

Our data protection experts have assisted many organisations in completing DPIAs, including those with national significance and importance during the COVID-19 pandemic. XpertDPO will take your organisation through this process and provide you with the knowledge required to ensure compliance with the GDPR. We can help you to identify risks and make informed decisions relating to risk acceptability and mitigation.

Using our bespoke DPIA threshold assessment template, XpertDPO will guide you through this process and provide you with advice, recommendations and solutions.

Ready to start your
Data Protection journey with us?
what we can do
Our Experience

XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.

XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.

We are one of the leading providers of Outsourced Data Protection Officer services in Ireland and the UK. We also specialise in offering Nominated European Representative Services to non EU based organisations.


A Selection of Our Happy Clients

XpertDPO is a Data Protection and Compliance consultancy firm in Ireland UK, that offers practical, tailor-made solutions.

XpertDPO is a Data Protection and Compliance consultancy firm in Ireland UK, that offers practical, tailor-made solutions.