Services

Data Protection Support & GDPR Consultancy

CONTINUE READING
Data Protection Support & GDPR Consultancy

GDPR Policies & Procedures

Drafting and maintaining a library of Data Protection / GDPR related documentation is the starting point on the road to GDPR compliance for many organisations.

Both the Data Protection Commissioner in Ireland, and the Information Commissioner in the UK have stated that they will expect organisations to be able to demonstrate that they are complying with the GDPR. How can an organisation demonstrate that they are complying?

We have assisted many organisations in reporting data breaches to their relevant statutory authority. On many occasions, that statutory authority has requested that the organisation provide copies of relevant policy documents for review. Obviously, if the organisation does not have these policy documents, then they cannot demonstrate how they are complying with the GDPR.

Many organisations at this juncture will scour the internet for policies and will copy and paste the policy, add their logo and send this off to the statutory authority. This is where the real problems can begin.

Policies that are copy / pasted from other organisations will have little or no meaning or relevance to your organisation and therefore, are of little or no value.

XpertDPO will spend the time to get to know your organisation and to learn how you operate and then we will draft meaningful and relevant all of the GDPR compliance related documentation that you require.

Data Protection Support & GDPR Consultancy

Data Security Breach Management

The majority of organisations will experience an information security breach at some point in time. Dealing with information security breaches is time consuming, stressful, and complex. How your organisation responds to the information security breach, how quickly you act to mitigate or resolve the information security breach and how you communicate this breach to your relevant statutory authority and / or the affected data subjects is critical in order to avoid that earth ending asteroid that is plummeting towards your organisation. Taking the correct steps at the right time is critical to minimise or avoid the serious consequences that are a possibility including reputational damage, statutory investigation, litigation and penalties and fines.

XpertDPO will assist you in protecting your brand, reputation and your clients throughout an information security breach.

How can XpertDPO help?

Our incident response experts will assist you in breach containment, crisis management, forensic examination, notification of data subjects & statutory authorities.

We achieve this by:

  • Triage: XpertDPO will provide assistance to identify and assess whether an information security breach has occurred
  • Notification: XpertDPO will provide advice on notification obligations and liaising with the statutory authority and/or data subjects on your behalf
  • Minimising Risk: XpertDPO will provide assistance and advice on risk minimisation and mitigation
  • Resolution: XpertDPO will assist you to resolve and rectify the information security breach and liaise with the statutory authority where issues arise
  • Documentation: XpertDPO will assist your organisation to document the information security breach
  • Analysis: XpertDPO will conduct a review to assist in improving information data security breach response process
Data Protection Support & GDPR Consultancy

Data Subject Access Rights Management Services

Following the implementation of the GDPR, there are enhanced rights for all data subjects. It is a misconception that Data Subject Access became a ‘thing’ due to the GDPR. There are some new rights (The Right to Deletion and The Right to Portability) but the existing rights have been available to data subjects since the early 1980’s.

Our data protection experts can help you understand your organisation’s new and increased obligations to individuals whose personal data you are processing.

Collating all the relevant information in relation to the data subject, in order to respond to DSARs can be extremely challenging, stressful and time-consuming. It is imperative that the data subject’s identity must be verified, data should be screened and third-party consent may need to be obtained.

Outsourcing this requirement to XpertDPO will allow your organisation to concentrate on your core business objectives, while maintaining compliance with the GDPR and fulfilling your DSAR obligations as required.

XpertDPO will support you throughout this complex process. DSARs are processed by a team with extensive experience dealing with such requests. 

Dedicated DSAR support for the process from XpertDPO covers all areas of the DSAR process:

  • Reviewing and assessing the nature and validity of the DSAR
  • Verifying the requester’s identity
  • Liaising with the relevant stakeholders within your organisation to locate the relevant data and to acquire all the personal information relating to the individual
  • Screening the collated data
  • Obtaining consent from third-party individuals where their personal information is contained within the search results, and, where it is unobtainable, applying redactions
  • Applying lawful exemptions, if applicable
  • Formally disclosing the information to the requester
  • Liaising and interacting directly with the relevant regulatory authority
  • Documenting the facts relating to the DSAR

Depending on your needs, we can deliver this service to your organisation on-site or remotely, or a combination of both. Your DSAR support can be either fully outsourced to XpertDPO or we can support your in-house team as and when required.

XpertDPO can help you develop a DSAR process to be run “in-house” or you can outsource specific DSARs to us and we can manage the entire process for you.

Data Protection Support & GDPR Consultancy

Article 30 Records of Processing Activity (RoPA)

Article 30 of the GDPR requires organisations to create and maintain a record of processing activity (ROPA). The ROPA includes a comprehensive overview of processing activities and the most important details about them and must be made available upon the request of a supervisory authority. The ROPA demonstrates your organisation’s GDPR compliance and therefore it is extremely important that it is well-managed and organised.

The obligation to create and maintain a ROPA applies to the majority of controllers and processors, and – for non-EU companies – their EU representatives.

A widespread misconception concerning ROPAs is that this duty applies to large companies only. While companies with more than 250 employees must indeed always keep a ROPA, those with fewer than 250 employees are exempt from holding a record, if one of these factors apply:

The processing is not likely to pose a risk to the rights and freedom of the data subject.

Organisations can assess a likely risk for data subjects by taking into account the nature, scope, context and purposes for processing, as well as the varying likelihood and severity of risks. Examples include geolocation systems and video surveillance.

If no special categories of data are processed.

Special categories of data include, for instance, data concerning criminal records, religious affiliations as well as health data of employees. Most companies will process sick certificates, and other information of employees falling under this category.

If the processing is done only occasionally.

Data processing can be occasional if it plays a subordinate role in the activity and only occurs for a very short time or once. An example would be a company informing clients of a change of address in case of relocation. On the contrary, daily activities of organisations like customer management or salary management are not occasional.

In practise, most organisations, regardless of whether or not they employ more than 250 staff, will be required to draft and maintain a ROPA. As in almost every organisation, some processing takes place on a structural basis. Also, it is not unlikely for companies to process special categories of data, especially in the context of human resources.

For reasons of accountability and transparency, data controllers must ensure that they have a structured data protection documentation library. It not only ensures transparency of data processing but also enables the data protection officer (DPO), EU representative and statutory authorities to perform their duties well. In a nutshell, ROPA demonstrates whether a company is GDPR compliant. Furthermore, a ROPA is crucial for the preparation of data protection impact assessments (DPIA).

While the building of a complete list of processing activities is often a complicated and time-consuming task for organisations, the creation and maintenance of a ROPA can prove to be beneficial for several reasons. It facilitates a prompt and accurate response to potential data subject requests when the information is readily available while establishing an efficient data erasure schedule to avoid a bulk of unnecessary personal data. It allows an organisation to identify future possible risks and take steps to mitigate them.

How can XpertDPO help?

  • We will support you to draft and maintain your own Record of Processing Activity
  • We will cover key Data Subject groups
  • We will capture the key Data Subject data types
  • We will identify the most important Data Processors your organisation is contracted with
  • We will provide links to your Data Processors publicly available GDPR and Cyber-Security related documentation
Data Protection Support & GDPR Consultancy

Data Protection Impact Assessments (DPIAs)

The General Data Protection Regulation (GDPR) requires organisations to carry out a Data Protection Impact Assessment (DPIA) under certain circumstances. A DPIA is basically a risk assessment that your organisation should carry out on any new risks that arise from the processing of personal data. Generally, a DPIA should be carried out before your organisation begins processing personal data in a new way.

A DPIA is a process which aims to identify risks arising out of the processing of personal data and to minimise or mitigate those risks where possible. DPIAs are a vital tool for demonstrating compliance with the GDPR and also for reducing risk of non-compliance and possible sanctions.

Our data protection experts have assisted many organisations in completing DPIAs, including those with national significance and importance during the COVID-19 pandemic. XpertDPO will take your organisation through this process and provide you with the knowledge required to ensure compliance with the GDPR. We can help you to identify risks and make informed decisions relating to risk acceptability and mitigation.

Using our bespoke DPIA threshold assessment template, XpertDPO will guide you through this process and provide you with advice, recommendations and solutions.

Ready to start your
Data Protection journey with us?
Contact US
what we can do
Our Experience

XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.

XpertDPO is a data security, governance, risk and compliance, GDPR and ISO consultancy that offers practical, tailor-made solutions.

We are one of the leading providers of Outsourced Data Protection Officer services in Ireland and the UK. We also specialise in offering Nominated European Representative Services to non EU based organisations.

  • Certified Data Protection Officer
  • Certified Information Security Manager (ISACA)
  • Certified Information Systems Auditor (ISACA)
  • Certified in Risk and Information Systems Control (ISACA)
  • Certified Cloud Security Professional (ISC2)
  • Certificate of Cloud Security Knowledge
  • Cyber Essentials
"XpertDPO has worked closely with FIT on matters relating to our responsibilities as Data Processors and, more broadly, on our practical processes for managing client data with due regard for the GDPR regulation. In this respect, XpertDPO’s team has been proactive in sharing knowledge and best practices, which have developed considerably FIT’s internal competence and the necessary ongoing development of staff.”
Andrew Finn, Director of Academic Affairs and Programme Development
Andrew Finn, Director of Academic Affairs and Programme DevelopmentFIT
"XpertDPO have been our European Representative following Brexit in 2020. The onboarding process was simple and the advice provided assists in meeting obligations under EU GDPR."
Emily Aldridge
Emily AldridgeLegal Counsel and Data Protection Officer, NEC Group
"By having XpertDPO act as our European Representative for Frontline Accounting, we are confident we are meeting the legal requirements of the GDPR. XpertDPO’s team are always on hand to answer any queries we may have and to help us respond to any Data Subject Access Requests from any client across the UK and the EU."
Mark D
Mark DFounder and CEO, Frontline Accounting
"XpertDPO are our first and only port of call when we need data protection expertise. We have worked closely with XpertDPO since 2018 and their support has been invaluable. They consistently provide us with the skills, knowledge and technical expertise to deliver excellence to our clients"
Jason Mclaughlin
Jason MclaughlinSales Manager | Ortus Cloud Solutions
"The advice, support, and relationship we have received from XpertDPO has been invaluable. They are exactly the resource we needed to help us scale our Security & Privacy program. Their expert knowledge on GDPR has enabled us to become more knowledgeable in a critically evolving space. With XpertDPO, you receive more than just a data protection service, but the opportunity to learn, feel supported, and bridge the gaps in your compliance journey. Confidently working with global clients has been almost effortless thanks to their expertise and the service they provide us. We could not be happier with our experience thus far and look forward to continuing working closely together.”
Alexis Ortiz, Information Security Analyst
Alexis Ortiz, Information Security AnalystMovespring
"I can highly recommend the services of Stuart and Aimee from the XpertDPO team. Stuart’s wealth of knowledge on all things data protection is second to none and both Stuart and Aimee have always been highly professional and efficient, as well as being friendly, helpful and supportive. All work has been carried out in a timely manner and both Stuart and Aimee have always taken the time to explain our GDPR obligations to us and to help us work through all of the paperwork and processes we need in place. We are delighted to have the services of XpertDPO as the Informed Minds App Data Protection Officer and we feel very safe and secure in the knowledge that we are meeting all of our GDPR obligations with the help of their team."
Paula Fletcher, Managing Director
Paula Fletcher, Managing DirectorInformed Minds App
“I first met Stuart and XpertDPO in 2018, and quickly realised that the level of expertise and depth of knowledge that he possessed was second to none, and I am delighted to say that XpertDPO and TalentPool has worked on many mutually profitable professional projects. The two companies developed Ireland’s first QQI certified Data protection course, which we have successfully delivered with the XpertDPO team into numerous organisations. Stuart and his team have also advised us on many issues around our Data Protection and the incisive advice and guidance he has given us is second to none.”
Cosmo Mellon, Managing Director
Cosmo Mellon, Managing DirectorTalentPool Ltd
“XpertDPO as per their name are truly the experts in GDPR regulations. Stuart is very knowledgeable & very thorough with his understanding of the subject. From my very initial association with them to my continued engagement, XpertDPO have always come across as very approachable. The support that Stuart gives our organisation is very valuable and practicable, especially in today’s post Brexit world. More importantly, I find that Stuart is always at the end of a call to help me out and address any urgent GDPR related queries. I highly recommend XpertDPO and Stuart to anyone who is seeking a very through but practical advice and solution if they are navigating the maze of GDPR regulations!” Stuart and his team have also advised us on many issues around our Data Protection and the incisive advice and guidance he has given us is second to none.”
Minesh Vaidya, Head of Regulatory Compliance
Minesh Vaidya, Head of Regulatory ComplianceNordic Pharma UK
Previous
Next
OUR EXPERIENCE

A Selection of Our Happy Clients

XpertDPO is a Data Protection and Compliance consultancy firm in Ireland UK, that offers practical, tailor-made solutions.

XpertDPO is a Data Protection and Compliance consultancy firm in Ireland UK, that offers practical, tailor-made solutions.