The benefits of outsourcing
How a virtual DPO can help
Ensure you have a robust data protection strategy that complies with GDPR and the UK Data Protection Act (DPA)
Ensure your staff have the knowledge and confidence needed to maintain compliance
Review and update privacy policies
Update your board on your organisation’s compliance posture
Maintain comprehensive records of data processing activities
Help you act quickly and decisively in times of crisis to limit their impact, such as fines or reputational damage
Conduct regular audits to prevent nasty surprises
Ensure that you have legal agreements with any Data Controllers and Processors
Rehearse breach scenarios to ensure that your organisation is prepared should the worst occur
Virtual DPO FAQs
A Data Protection Officer (DPO) is responsible for advising on data protection impact assessments, training staff, conducting internal audits and managing any other internal data protection activities. They normally also help control which members of staff and contractors have access to information. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
Should you have a breach, the Data Protection Officer has a critical role. They will be responsible for reporting to the ICO, providing enough information to minimise the risk of a fine and co-ordinating any external forensics. They will also advise senior management and marketing/PR in order to minimise the ripple effect of a breach, such as loss of customer trust.
Not every organisation requires a DPO. Under the GDPR, you must appoint a DPO if:
- you are a public authority or body (except for courts acting in their judicial capacity)
- your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or
- your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences
However, some organisations that don’t have to appoint a DPO decide to do so as they see this as good practice or to meet clients’ expectations. Once in role, DPOs have legal obligations to fulfil, even if they have been voluntarily appointed.
If you don’t have a DPO, it is good practice to appoint a Data Officer to be the focal point for all data privacy related queries. We can act as a Data Officer for you via our Critical Friend service.
- They are specialists with a raft of industry experience
- They are always available when you need them
- They’re impartial
- They have experience of delivering training and internal audits
- They can confidently handle difficult situations and breaches including providing reports to the ICO
- They can help you think beyond compliance and seize new opportunities
- They’ll help you effectively develop a culture of compliance across business functions
- They’ll be abreast of the latest requirements, including changes to data privacy legislation post-Brexit
- They can help you reply to Subject Access Requests (SARs) within tight deadlines
All our virtual DPOs are experienced in operating at board level.
Indeed. Article 37 of the GDPR makes it clear that businesses can outsource the DPO function, stating that, “The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”
Virtual DPOs can help you with anything and everything related to GDPR, including:
- Advising on ICO registration
- Helping you complete Subject Access Requests (SARs) and Right to be Forgotten requests (RTBF)
- Data Protection Impact Assessments (DPIA)
- Drafting or reviewing privacy notices
- Writing data protection policies
- Providing training to employees
- Managing crises, e.g. data breaches
- Liaising with the ICO
- Keeping you informed about changes/new requirements so you can maintain compliance
There’s a minimum contract term of six months.
You can appoint a member of your staff as a DPO. This cannot be a member of management nor a member of your IT department, yet needs to be someone who is extremely trustworthy, robust enough to drive compliance and interested in the subject. Please note that an in-house DPO will enjoy special protection against dismissal.
Don’t worry if you need a Virtual DPO in a hurry. After an initial call, we’ll design a package to suit your needs and send you a contract to sign. Within 24 hours of receiving your signed documentation, we can start to act as your Virtual DPO.
As your business grows, you may find yourself needing a full-time DPO. If so, we’ll happily provide any training they may need, including a full handover and any support to help them through the transition period. Our GDPR Critical Friend service will provide you with holiday and sickness cover as well as providing your new recruit with access to a second opinion from someone who already has a good understanding of your business.
Yes, you should contact your nominated DPO. If they are not available, we will brief another of our virtual DPOs so they can provide emergency support.
View our standard support times. Please note, out of hours support can be provided, if required.
Case study
- Transcription City
- Sam Wood
- Director
It was more work than I’d expected. I soon realised I needed help to fully understand the requirements and embed the standards so they would work for my business. I approached British Assessment Bureau for help. They recommended Risk Evolves. Twelve weeks later, we passed our remote audit and achieved certification.
- SIS Systems (UK) Ltd
- Adam Middleton
- Managing Director
We do recommend Risk Evolves. Not only do they offer great service and value for money they have also imparted valuable knowledge, understanding and belief across the organisation. The net result is more business.
Anonymous
ISO9001 was an achievement, an even bigger deal was to raise the health and safety culture of the organisation.
Anonymous
We are in a safer place now than we were 12 months ago. Starting with two factor authentication. The culture of the organisation is in a better place and we were in a better place for lockdown too.
Anonymous
Friendly and informative.
- Transcription City
- Sam Wood
- Director
It made a massive difference to have ISO explained in layman’s terms. It’s very easy to ask questions and you aren’t left understanding less! You just call or email and it’s in a way that’s simple to understand.
- Jay's Logistics (South West) Ltd
Anonymous
Our ISO9001 certification has enabled us to deliver logistics services to Hinckley Point and to its suppliers as well as operating at a more efficient and safe level. The power station isn’t due for completion until 2025 so this contract has provided stability at a time of great for the logistics industry.
Anonymous
Cyber security is scary! Helen gave me the confidence to know we could… minimise these types of risks. She has given me peace of mind.
Anonymous
Customer feedback gained as part of our ISO9001 certification has led to the development of popular new services including GDPR Critical Friend.
Anonymous
Our clients appreciate that we practice what we preach and can share real-life experience of running an ISO certified business. We’re certified to ISO9001 and were the first UK client of NQA to certify to both ISO27001 and ISO27701.
Anonymous
GDPR compliance will increase our value to clients.
Anonymous
Very quietly thrilled to bits to get our accreditation under the new standard without any issues. Helps the business with proposals to blue chip clients.
Anonymous
The internal audit and IASME application has been a positive experience for The Changing Education Group… made possible by the high quality support and guidance offered by the Risk Evolves team.
Anonymous
Helen represents the small business community effectively and with vigour as the Cyber Crime Ambassador for FSB Coventry and Warwickshire, working alongside local and national government to ensure small businesses have a voice.
