ISO9001 was an achievement, an even bigger deal was to raise the health and safety culture of the organisation.
Data Protection and GDPR Compliance
GDPR Consultancy
Our data protection and GDPR advice is straightforward, accurate and tailored to your organisation’s needs. Our consultants have the expertise you need.
Benefits of GDPR consultancy
Understand fully how your organisation collects, stores, accesses and shares data
Reduce the risk of non-compliance, fines and reputational damage
Be confident that every aspect of your organisation has been scrutinised
Ensure that your policies are robust and compliant
Understand international data transfers requirements
Reassure your stakeholders
Access best practice and up-to-the-minute advice
Respond quickly to a GDPR crisis
GDPR Discovery Review
We have a range of services to help you assess, manage and protect your data. A popular starting point is the GDPR Discovery Review. This three-step process will ensure that your employees understand their GDPR obligations and will provide you with a detailed action plan to drive compliance.
Compliance as a Service
Compliance as a Service provides the ongoing expert support you need at a fraction of the price of employing a full-time in-house GDPR expert. As part of the service, we’ll check your compliance during regular review meetings, provide ad hoc advice to your staff and even cooperate with the Information Commissioner’s Office (ICO) on your behalf, if needed. As well as providing expert GDPR support, our specialists can also advise you on ISO, Cyber Essentials and H&S compliance.
GDPR Training
We believe GDPR doesn’t have to be boring or inaccessible. Our experienced GDPR trainers use real-life examples, humour and group discussions to bring GDPR to life. Your delegates will leave understanding their obligations and feeling inspired to make changes.
GDPR Critical Friend
It’s vital that your compliance team maintains a robust approach to GDPR all year round. Our Critical Friend service will provide them with the support they need to take informed, timely and compliant decisions.
GDPR Virtual Data Protection Officer (DPO)
A Data Protection Officer plays a vital role in preserving the integrity of the business. They minimise the risk of data breaches, potential fines and reputational damage. Our outsourced Data Protection Officer services will enable you to fulfil your legal requirements and benefit from the highest possible level of up-to-the minute knowledge from certified DPOs, all of whom have Board level experience.
GDPR Emergency Support
Whether you’ve had a data leak, received a tricky Subject Access Request (SAR) or Right To Be Forgotten (RTBF) request, been notified of an incident by one of your Data Processors or suspect an employee of copying files, we’ll help you work out how to manage the situation.
GDPR FAQs
What is the GDPR?
The General Data Protection Regulation (GDPR) simplifies data privacy compliance by replacing a number of different country laws with one that’s common across the 28 countries of the European Economic Area (EEA). It was brought into law in the UK by the 2018 Data Protection Act (DPA). The DPA remains in place after Brexit.
Why is the GDPR important?
We are spending more and more time ‘online’ whether downloading music, streaming films, sending texts, using social media or even doing our banking. Each time we use a system, we allow businesses, charities or the government to use our data. That data can be used to target us for advertising, to predict our future purchases or to capture information on our health or our family. Our data therefore has a value not only to businesses, charities and the government but also to criminals who want to capture it and sell it on the dark web.
The GDPR helps to ensure that every organisation takes its data processing responsibilities seriously and puts in place stringent measures to protect our personal data – whether we are a customer, an employee or an interested party. It also ensures that breaches are reported promptly.
Who does the GDPR apply to?
The GDPR applies to any organisation – business, charity or government body – operating within the EU who captures and stores our data. It also applies to organisations outside the EU which provide products or services to EU residents.
Who does the GDPR affect?
The GDPR is not governed by size or sector. Even small businesses must take steps to be GDPR compliant. Although you may hear that companies under 250 employees don’t need to keep certain records, it’s actually hard to be compliant if you don’t! So, the GDPR applies to Pete the Plumber in pretty much the same way as it does to Barclays Bank. Of course, Barclays Bank can afford a team of experts to advise on GDPR whereas Pete the Plumber and other SMEs need a cost-effective way of accessing GDPR expertise on demand. That’s where we come in.
It’s best if all employees are trained on the GDPR so they can take personal responsibility for ensuring compliance. Marketing, HR, finance and customer service teams in particular have a key role to play in safeguarding data.
What does it mean to be GDPR compliant?
To be GDPR compliant, you must identify the data you hold, determine why you have that data, be clear on whether you are sharing it with anyone and put steps in place to protect data and monitor data usage. You must also be able to identify a data breach and understand how to notify both the ICO and stakeholders.
As part of your GDPR compliance, you will normally need the following documents: privacy policy, cookie policy, terms and conditions of website use, data retention policy, IT security policy and data processing agreements. Our GDPR experts can help you identify areas of non-compliance as part of a GDPR Discovery Review.
Is the GDPR good for business?
Yes. Being GDPR compliant reduces the risk of customer loss, reputational damage and reduced profits.
GDPR compliance ensures your customers can trust you with their information and safeguards your hard-earned reputation. Get it right and it will help you to win business. Get it wrong and the consequences could be far costlier than seeking expert help in the first place.
Who is the Data Controller for the GDPR?
The Data Controller is the organisation responsible for deciding how personal data is processed.
The Data Processor is the organisation which processes the data on behalf of the controller, for example, a marketing consultancy or an outsourced payroll provider.
Some organisations may need to appoint a Data Protection Officer (DPO) . This role requires in-depth knowledge of the GDPR and the DPA and has some additional legal responsibilities. Many smaller businesses find that outsourcing this role provides them with the expert knowledge they need. We’re always happy to have no obligation chat to establish if you need a DPO. Find out how a Virtual DPO service can help your business…
Our blog on ‘Who’s Who in GDPR?’ will help you identify if you’re a Data Controller, a Data Processor or both. You can find a simple guide to your responsibilities in ‘Who Does What in GDPR?’.
What are retention periods?
The 2018 Data Protection Act requires a mindset change – organisations cannot collect as much information as they think that they might need and they can’t keep it forever. At Risk Evolves, we encourage organisations to do a ‘data declutter’ so they only keep the information that they really need – for example, HMRC requires organisations to keep some financial data for the current calendar year, plus a further six years. At the end of this period, it can be deleted. Aside from being compliant with the DPA, by deleting unwanted data, you also prevent it from being lost or stolen!
If you’re unsure of how long to keep data for, or even where to start, give us a call.
How do I write a privacy policy/notice?
A privacy policy or privacy notice is simply a document that explains to your staff, customers, suppliers and web visitors what data you collect about them and why. It should explain whether you share the data with any other organisations and tell them which countries their information is being processed in. It has to be written in a way that your audience can understand (we have a passionate dislike for legal documents written in 6pt font!) and is an opportunity to reassure your reader that you are looking after their personal information in a way which is respectful. Finally, it should explain to your reader how to contact you if they want to exercise their rights.
What GDPR training is available?
Our ‘GDPR – What happens next?’ course provides a comprehensive introduction to GDPR. It is ideally suited to those organisations that prepared for the GDPR back in 2018 but have not kept up to date with their processes and risk assessments.
Our ‘GDPR – What to do in a crisis?’ course will help your employees to understand what constitutes a data breach and ensure they can confidently develop a plan to handle any future incidents.
Our ‘GDPR – The role of Trustees and Directors’ stimulates board-level understanding and drives a culture of compliance from the top down. Trustees and Directors have a legal obligation to ensure that their organisations are compliant, this course makes it crystal clear how they can do so.
We can also put together bespoke GDPR training packages, e.g. for marketing or HR teams.
All GDPR training can be delivered onsite or online. Please contact us for more information.
Are the GDPR fines insurable?
No, just like your car insurer won’t pay out if you’re caught speeding on a motorway, your organisation’s insurer won’t pay out if you fail to comply with the GDPR. As a GDPR fine can be up to 4% of the previous year’s worldwide turnover (or 20 million Euros), it’s definitely worth putting in place measures to ensure compliance. We can help you by assessing your current compliance as part of a GDPR Discovery Review or providing ongoing support as part of Compliance as a Service or GDPR Critical Friend service.
How can we get GDPR certification?
The following certifications will help embed a culture of data protection and reassure your stakeholders that you are trustworthy and credible:
IASME Governance: the combined GDPR and Cyber Essentials accreditation for smaller businesses
ISO27001: the internationally recognised standard for Information Management
ISO27701: the new ‘gold standard’ for Privacy Information Management
BS 10012: a British standard for a Privacy Information Management System
What’s the difference between the GDPR and the Data Protection Act (DPA)?
The Data Protection Act 2018 is the UK Government’s implementation of the GDPR. It is actually wider in scope than the GDPR. For example:
- It includes some differences which accommodate our security services (MI5, MI6 and GCHQ) and our law enforcement organisations
- A number of criminal offences were introduced including those of deleting data in scope of Subject Access Requests (SARs) and ‘de-anonymising’ anonymised data
- There are a number of exemptions that mean that data does not need to be shared with data subjects, for example, employee references shared between employers
There are also some smaller differences, for example:
- The DPA sets the age that a child can consent to data processing at 13, the GDPR sets this at 16
- The inclusion of an annual registration fee for UK organisations
- The role of the ICO including its duties, function and enforcement powers
If you have any questions for the Risk Evolves team, contact us today.
Let's get the conversation started...
Whether you are looking to find out more information, or are ready to take the next step, we’d love to talk to you. Click the button below to book a free 30-minute Risk Discovery Call.
Contact Us01926 800710What our clients say about us
Managing risk and compliance for our clients is its own reward. Our clients have said the following about working with our team. Due to the nature of our work, we are limited in what we can share of our clients.
Anonymous
- Transcription City
- Sam Wood
- Director
It was more work than I’d expected. I soon realised I needed help to fully understand the requirements and embed the standards so they would work for my business. I approached British Assessment Bureau for help. They recommended Risk Evolves. Twelve weeks later, we passed our remote audit and achieved certification.
Anonymous
The internal audit and IASME application has been a positive experience for The Changing Education Group… made possible by the high quality support and guidance offered by the Risk Evolves team.
Anonymous
Customer feedback gained as part of our ISO9001 certification has led to the development of popular new services including GDPR Critical Friend.
Anonymous
Cyber security is scary! Helen gave me the confidence to know we could… minimise these types of risks. She has given me peace of mind.
Anonymous
Friendly and informative.
Anonymous
Our clients appreciate that we practice what we preach and can share real-life experience of running an ISO certified business. We’re certified to ISO9001 and were the first UK client of NQA to certify to both ISO27001 and ISO27701.
- Jay's Logistics (South West) Ltd
Anonymous
Our ISO9001 certification has enabled us to deliver logistics services to Hinckley Point and to its suppliers as well as operating at a more efficient and safe level. The power station isn’t due for completion until 2025 so this contract has provided stability at a time of great for the logistics industry.
Anonymous
GDPR compliance will increase our value to clients.
Anonymous
We are in a safer place now than we were 12 months ago. Starting with two factor authentication. The culture of the organisation is in a better place and we were in a better place for lockdown too.
- Transcription City
- Sam Wood
- Director
It made a massive difference to have ISO explained in layman’s terms. It’s very easy to ask questions and you aren’t left understanding less! You just call or email and it’s in a way that’s simple to understand.
- SIS Systems (UK) Ltd
- Adam Middleton
- Managing Director
We do recommend Risk Evolves. Not only do they offer great service and value for money they have also imparted valuable knowledge, understanding and belief across the organisation. The net result is more business.
Anonymous
Helen represents the small business community effectively and with vigour as the Cyber Crime Ambassador for FSB Coventry and Warwickshire, working alongside local and national government to ensure small businesses have a voice.
Anonymous
Very quietly thrilled to bits to get our accreditation under the new standard without any issues. Helps the business with proposals to blue chip clients.