How we work

Inbound support

Outbound support

Inbound support

Inbound support

Outbound support

Outbound support is the proactive work we do to maximise your compliance with data protection law.

We have mapped our framework to various standards, but the principal aim is to be able to demonstrate and document compliance with the ICO Accountability Framework.

A lead consultant will be assigned to your organisation and their responsibility is to develop a plan to move you minimising risk and maximising compliance and capability in the areas of the framework.

The framework is supported by the tools and resources on the DPE Knowledge Bank, but it is platform agnostic - we also implement this approach when using other platforms and tools such as GDPRiS. For more information on how the Knowlebank tools support compliance, click here.

Inbound support

Inbound support is the reactive work we do when you need us most.

This support is provided by our core DPO team who are qualified to offer advice and guidance on the most complex and difficult of cases.

The core DPO team is there to help you with:

  • Data protection impact assessments
  • Subject access requests
  • Data breaches
  • Questions and queries
  • Freedom of information enquiries
  • ICO liaison
  • Inbound requests and complaints from data subjects
  • Any other support requests

Our Framework

Leadership and oversight

Leadership
and
Oversight

Leadership and overshight

An effective programme starts at the top. We work with you to agree strategic goals and (especially with MATs) an approach that where possible, mirror your existing governance structures and reporting lines. 

We provide guidance on governance and corporate risk management where it relates to data protection issues.

Our reporting lines are agreed to be at the highest level of the organisation - that's the governing or trustee board, or in larger trusts, the audit and risk, or finance committee.

Risk Management

Risk
Management

Risk Management

We take a risk-based approach to data protection. Defining risk-based priorities allows us to ensure that we can maximise the effectiveness of the work we do for you.

In our physical site visits, we assess "visible" data risks - how people use data, what is on display, physical security of data and much more.

Using our online tools we document the "hidden" data risks in systems and processes through data protection impact assessments and records of processing.

Policies and procedures

Policies
and
Procedures

Policies and Procedures

We have an extensive repository of contextualised documents in our Best Practice Library, covering everything from core documentation, such as a Data Protection Policy, through to SAR and breach procedures and on to more niche documents such as CCTV extraction workflows.

We know that not everyone starts off with a blank canvas, so all our DP customers benefit from a document review as part of our onboarding process and we are happy to advise on or review any new or revised documentation relating to data protection.

individual rights

Individual
Rights

Individual Rights

One of the fundamental aspects of our job is to represent the rights of data subjects. And part of the analysis in our risk-based approach is to identify and document the appropriate rights of data subjects in the processing taking place and making sure they are respected, through changes in process and training.

We operate logs for data subject rights and support data subjects directly with their issues, as well as data subject complaints directly to the Information Commissioner's Office 

Contracts and data sharing

Contracts
and
Data Sharing

Contracts and Data Sharing

Third-parties and contract management are managed on our online platform.

This allows assessment of the thirty-party as well as any individual contracts or data-sharing agreements held with that third-party in order to ensure that the organisation and the contracts are GDPR compliant.

This is done in conjunction with you and we do not require access to any confidential or financial information as part of this exercise.

 

Transparency

Transparency

Transparency

Transparency is one of the fundamental data protection principles and we provide a range of supporting document templates and guidance on when transparency is required as well as the information required for disclosure.

Additionally, customers of our Knowledge Bank can automatically produce privacy notices from the data in the record of processing tool using our automated templates.

Any existing privacy notice documents are of course covered in our documentation review.

Training and Awareness

Training
and
Awareness

Training and Awareness

DPE have an extensive library of training resources. Firstly, we recommend staff undertake our e-learning, with topics on data protection and information security. All courses have a certificate of completion and site managers can view enrolment and completion reports.

We also have a range of offline resources, including training pdfs and presentations for instructor-led sessions. Any offline training courses can be manually added to the Knowledge Bank for complete visibility on training.

Our Compliance Manager tool allows managers to assign documents to staff for reading and electronic signing - removing the need to chase staff for signatures on important documents. 

The DPE Proficiency Framework allows you to map roles in your organisation to the skills they need to employ in each process in the Record of Processing. This means a personalised skills map and supporting training can be developed for every role in the organisation.

Lastly, we support and have training materials and online sessions for all managers of our Knowledge Bank.

Records Management and Security

Records
Management
and
Security

Records Management and Security

Effective records management is key to a successful data protection programme and we support you with guidance, templates and policies for effective document control, classification and management.

Key to records management is the record of processing (RoP) tool, which supports the documentation of data locations and systems (including offline) where data records are kept.

Reports generated from the RoP include information asset reports, data locations, visual data maps, retention schedules, including details of destruction.

We advise and document data security on visits and on the knowledge bank. Review of data security risk is a fundamental tenet of our risk-based approach to data protection.

Monitoring, verification and Reporting

Monitoring
Verification
and
Reporting

Monitoring, Verification and Reporting

Benchmarking and monitoring are a continual process and we record and measure multiple KPIs of your data protection programme, including key stats of SAR, breach and FOI logs. We look at completeness of processing records and associated documentation. Our learning management system and compliance manager provide reports on training and awareness.

We have checklists on each contextualised best practice area so progress against baselines can easily be assessed.

Framework checklists map the Information Commissioner's Accountability Tracker so that compliance with ICO standards can be monitored directly in the Knowledge Bank.

We record all our time spent working for you during visits, remote consultations and support requests, so you have visibility on the effectiveness and value of our programme

Response and enforcement

Response
and
Enforcement

Response and Enforcement

We operate a fast -turnaround to all support requests whether a SAR, FOI or support ticket. Breach notifications of course always get our attention and you can be sure that one of the core DPO team will respond with advice as soon as we can.

We aren't the enforcer, but our advice as an independent DPO may not always be what you want to hear. Where we see unmitigated risks, we will recommend mitigating actions. And where these risks remain untreated we will escalate as needed to avoid a risk becoming a problem.

Enforcement, of course, comes from the Information Commissioner's Office and we act as your liaison and ensuring that any concerns raised or actions required are prioritised accordingly.

The framework is a continuous multi-threaded cycle, with all records, risks and responses feeding back into the next priorities for your data protection programme.

Contact us today with any questions or for a

Free Consultation

Call us with any questions

0800 0862018

or email us on

info@dataprotection.education

Search