Data Protection and GDPR Compliance

virtual CISO from Risk Evolves

GDPR Consultancy

Our data protection and GDPR advice is straightforward, accurate and tailored to your organisation’s needs. Our consultants have the expertise you need.

Benefits of GDPR consultancy

Understand fully how your organisation collects, stores, accesses and shares data

Reduce the risk of non-compliance, fines and reputational damage

Be confident that every aspect of your organisation has been scrutinised

Ensure that your policies are robust and compliant

Understand international data transfers requirements

Reassure your stakeholders

Access best practice and up-to-the-minute advice

Respond quickly to a GDPR crisis

GDPR Discovery Review

We have a range of services to help you assess, manage and protect your data. A popular starting point is the GDPR Discovery Review. This three-step process will ensure that your employees understand their GDPR obligations and will provide you with a detailed action plan to drive compliance. 

Compliance as a Service

Compliance as a Service provides the ongoing expert support you need at a fraction of the price of employing a full-time in-house GDPR expert. As part of the service, we’ll check your compliance during regular review meetings, provide ad hoc advice to your staff and even cooperate with the Information Commissioner’s Office (ICO) on your behalf, if needed. As well as providing expert GDPR support, our specialists can also advise you on ISO, Cyber Essentials and H&S compliance.

GDPR Training

We believe GDPR doesn’t have to be boring or inaccessible. Our experienced GDPR trainers use real-life examples, humour and group discussions to bring GDPR to life. Your delegates will leave understanding their obligations and feeling inspired to make changes.

GDPR Critical Friend

It’s vital that your compliance team maintains a robust approach to GDPR all year round. Our Critical Friend service will provide them with the support they need to take informed, timely and compliant decisions.

GDPR Virtual Data Protection Officer (DPO)

A Data Protection Officer plays a vital role in preserving the integrity of the business. They minimise the risk of data breaches, potential fines and reputational damage. Our outsourced Data Protection Officer services will enable you to fulfil your legal requirements and benefit from the highest possible level of up-to-the minute knowledge from certified DPOs, all of whom have Board level experience.

GDPR Emergency Support

Whether you’ve had a data leak, received a tricky Subject Access Request (SAR) or Right To Be Forgotten (RTBF) request, been notified of an incident by one of your Data Processors or suspect an employee of copying files, we’ll help you work out how to manage the situation.

GDPR FAQs

What is the GDPR?

The General Data Protection Regulation (GDPR) simplifies data privacy compliance by replacing a number of different country laws with one that’s common across the 28 countries of the European Economic Area (EEA). It was brought into law in the UK by the 2018 Data Protection Act (DPA). The DPA remains in place after Brexit.

Why is the GDPR important?

We are spending more and more time ‘online’ whether downloading music, streaming films, sending texts, using social media or even doing our banking. Each time we use a system, we allow businesses, charities or the government to use our data. That data can be used to target us for advertising, to predict our future purchases or to capture information on our health or our family. Our data therefore has a value not only to businesses, charities and the government but also to criminals who want to capture it and sell it on the dark web.

The GDPR helps to ensure that every organisation takes its data processing responsibilities seriously and puts in place stringent measures to protect our personal data – whether we are a customer, an employee or an interested party. It also ensures that breaches are reported promptly.

Who does the GDPR apply to?

The GDPR applies to any organisation – business, charity or government body – operating within the EU who captures and stores our data. It also applies to organisations outside the EU which provide products or services to EU residents.

Who does the GDPR affect?

The GDPR is not governed by size or sector. Even small businesses must take steps to be GDPR compliant. Although you may hear that companies under 250 employees don’t need to keep certain records, it’s actually hard to be compliant if you don’t! So, the GDPR applies to Pete the Plumber in pretty much the same way as it does to Barclays Bank. Of course, Barclays Bank can afford a team of experts to advise on GDPR whereas Pete the Plumber and other SMEs need a cost-effective way of accessing GDPR expertise on demand. That’s where we come in.

It’s best if all employees are trained on the GDPR so they can take personal responsibility for ensuring compliance. Marketing, HR, finance and customer service teams in particular have a key role to play in safeguarding data.

What does it mean to be GDPR compliant?

To be GDPR compliant, you must identify the data you hold, determine why you have that data, be clear on whether you are sharing it with anyone and put steps in place to protect data and monitor data usage. You must also be able to identify a data breach and understand how to notify both the ICO and stakeholders.

As part of your GDPR compliance, you will normally need the following documents: privacy policy, cookie policy, terms and conditions of website use, data retention policy, IT security policy and data processing agreements. Our GDPR experts can help you identify areas of non-compliance as part of a GDPR Discovery Review.

Is the GDPR good for business?

Yes. Being GDPR compliant reduces the risk of customer loss, reputational damage and reduced profits.

GDPR compliance ensures your customers can trust you with their information and safeguards your hard-earned reputation. Get it right and it will help you to win business. Get it wrong and the consequences could be far costlier than seeking expert help in the first place.

Who is the Data Controller for the GDPR?

The Data Controller is the organisation responsible for deciding how personal data is processed.

The Data Processor is the organisation which processes the data on behalf of the controller, for example, a marketing consultancy or an outsourced payroll provider.  

Some organisations may need to appoint a Data Protection Officer (DPO) . This role requires in-depth knowledge of the GDPR and the DPA and has some additional legal responsibilities. Many smaller businesses find that outsourcing this role provides them with the expert knowledge they need. We’re always happy to have no obligation chat to establish if you need a DPO. Find out how a Virtual DPO service can help your business…

Our blog on ‘Who’s Who in GDPR?’ will help you identify if you’re a Data Controller, a Data Processor or both. You can find a simple guide to your responsibilities in ‘Who Does What in GDPR?’.

What are retention periods?

The 2018 Data Protection Act requires a mindset change – organisations cannot collect as much information as they think that they might need and they can’t keep it forever. At Risk Evolves, we encourage organisations to do a ‘data declutter’ so they only keep the information that they really need – for example, HMRC requires organisations to keep some financial data for the current calendar year, plus a further six years. At the end of this period, it can be deleted. Aside from being compliant with the DPA, by deleting unwanted data, you also prevent it from being lost or stolen!

If you’re unsure of how long to keep data for, or even where to start, give us a call.

How do I write a privacy policy/notice?

A privacy policy or privacy notice is simply a document that explains to your staff, customers, suppliers and web visitors what data you collect about them and why. It should explain whether you share the data with any other organisations and tell them which countries their information is being processed in.  It has to be written in a way that your audience can understand (we have a passionate dislike for legal documents written in 6pt font!) and is an opportunity to reassure your reader that you are looking after their personal information in a way which is respectful. Finally, it should explain to your reader how to contact you if they want to exercise their rights.

What GDPR training is available?

Our ‘GDPR – What happens next?’ course provides a comprehensive introduction to GDPR. It is ideally suited to those organisations that prepared for the GDPR back in 2018 but have not kept up to date with their processes and risk assessments.

Our ‘GDPR – What to do in a crisis?’ course will help your employees to understand what constitutes a data breach and ensure they can confidently develop a plan to handle any future incidents.

Our ‘GDPR – The role of Trustees and Directors’ stimulates board-level understanding and drives a culture of compliance from the top down.  Trustees and Directors have a legal obligation to ensure that their organisations are compliant, this course makes it crystal clear how they can do so.  

We can also put together bespoke GDPR training packages, e.g. for marketing or HR teams.

All GDPR training can be delivered onsite or online. Please contact us for more information.

Are the GDPR fines insurable?

No, just like your car insurer won’t pay out if you’re caught speeding on a motorway, your organisation’s insurer won’t pay out if you fail to comply with the GDPR. As a GDPR fine can be up to 4% of the previous year’s worldwide turnover (or 20 million Euros), it’s definitely worth putting in place measures to ensure compliance. We can help you by assessing your current compliance as part of a GDPR Discovery Review or providing ongoing support as part of Compliance as a Service or GDPR Critical Friend service.

How can we get GDPR certification?

The following certifications will help embed a culture of data protection and reassure your stakeholders that you are trustworthy and credible:

IASME Governance: the combined GDPR and Cyber Essentials accreditation for smaller businesses

ISO27001: the internationally recognised standard for Information Management

ISO27701: the new ‘gold standard’ for Privacy Information Management

BS 10012: a British standard for a Privacy Information Management System

What’s the difference between the GDPR and the Data Protection Act (DPA)?

The Data Protection Act 2018 is the UK Government’s implementation of the GDPR. It is actually wider in scope than the GDPR. For example:

  • It includes some differences which accommodate our security services (MI5, MI6 and GCHQ) and our law enforcement organisations
  • A number of criminal offences were introduced including those of deleting data in scope of Subject Access Requests (SARs) and ‘de-anonymising’ anonymised data
  • There are a number of exemptions that mean that data does not need to be shared with data subjects, for example, employee references shared between employers

There are also some smaller differences, for example:

  • The DPA sets the age that a child can consent to data processing at 13, the GDPR sets this at 16
  • The inclusion of an annual registration fee for UK organisations
  • The role of the ICO including its duties, function and enforcement powers

If you have any questions for the Risk Evolves team, contact us today.

Let's get the conversation started...​

Whether you are looking to find out more information, or are ready to take the next step, we’d love to talk to you. Click the button below to book a free 30-minute Risk Discovery Call.

Contact Us01926 800710

What our clients say about us

Managing risk and compliance for our clients is its own reward. Our clients have said the following about working with our team. Due to the nature of our work, we are limited in what we can share of our clients.