Data Protection Providers Limited; GDPR Implementation Made Easy
Tailor-make your Package with DPPL
Training & Staff Awareness
We provide on-site training and awareness for your staff on the General Data Protection Regulation principles and on the procedures that your organisation has implemented to become compliant.
GDPR Gap Analysis & Implementation
We go through the steps of data mapping and risk analysis and create an implementable action plan to guide you through the steps you need to take to become GDPR compliant.
GDPR Certification & Regular Audits
At the end of our implementation process, we will certify that you are now compliant. We will also act in an advisory capacity and conduct regular audits and give feedback on corrective action required.
Data Protection Officer (DPO) as a Service
The role of DPO would see us being involved with your company on a more day to day basis; for example, reporting at board meetings, being involved in managing data breaches and staff refresher training.
Please note: every organisation has different needs and different levels of personal data processing; for this reason, all packages are tailored and individual quotes are given.
Data Protection Providers Ltd. GDPR Certification Process
Our certification process involves the initial implementation, where we work with you to become GDPR compliant. We will award our certification once we are satisfied that the GDPR requirements are fully met.
Moving forward we conduct on-site annual audits in order to maintain certification. We are also available for advice on the impact of any business change on personal data.
Please note: Whilst there is no official certification for GDPR compliance yet established, we have created our own certification based on the GDPR articles and many practical examples of implementation that we have been through.
Overview of the DPPL Implementation Process
- Map the Current Flow of Personal Data
We review and document all data processing activities and security processes in relation to:
- Personal Data – identifying information such as name, address and email address.
- Sensitive Personal Data – special categories requiring strong protection including data containing health, sex life or sexual orientation, religious beliefs, race and genetic data.
The main sources of personal data are customers, employees and suppliers. We ask the following questions:
- What data is being collected?
- How was the data obtained?
- From whom is data collected?
- Why is the data being collected?
- How is the data being processed?
- What is the legal basis for each processing operation?
- How long is the data retained?
- To where and to whom is the data being transferred?
- Assess Risks
For high-risk data, a Data Protection Impact Assessment (DPIA) should be carried out; the process of systematically considering the potential impact that a project or initiative might have on the privacy of individuals. For most SMEs, this would be unlikely to be a requirement. However, we will review the risk that all data processing activities pose for data subjects, asking questions such as:
- Where is the data being stored?
- Is the data safe?
- Who has access to the data?
- How is the data transferred?
We work with you to put procedures in place to ensure that any personal data on laptops or devices is secure, and that email, cloud services and external devices used for storage are encrypted, and can only be accessed by authorised personnel. We would also ensure that any paper documents with personal data, such as employment contracts, are stored securely. We create a procedure that assesses the risk when anything in your business changes that means you will be requesting personal data, and that the GDPR principles are always adhered to in any new development.
- Gap Analysis / Changes Required
We identify any required changes to how the data is received, processed, stored and transferred, and plan any actions required to achieve compliance. It’s important to note that if your work involves the processing of data from children, you must ensure that you have adequate systems in place to verify individual ages and gather consent from guardians, and we will work with you to assess if this affects your organisation.
We can work with your current IT providers to make any required hardware or software changes, or we can use our own highly experienced IT contractors.
- External Providers
We identify joint controllers, processors and sub-processors, and create instructions on how data should be handled e.g. health insurers or outsourced payroll. We work with you to give third parties documented instructions, covering areas including confidentiality obligations, security practices, rules around the appointment of sub-processors and the return or destruction of the personal data at the end of the relationships.
We work with you to create all the necessary documentation, including:
- An internal Data Protection Policy
- Written procedures to guide staff in following GDPR
- A publicly available Website Privacy Statement
- A fully documented trail of how GDPR was implemented in your organisation
We ensure all your staff are adequately trained and understand their obligations under GDPR for personal data, including dealing with information requests, correcting inaccuracies, erasing information, detecting, reporting and investigating data breaches, maintaining evidence of all training and keeping a manual with documented procedures on data protection. We set up procedures to ensure all new staff are trained on procedures and all staff are regularly reminded of GDPR obligations.
- Ongoing Audits
To remain certified as GDPR compliant by DPPL, we carry out an annual audit of your organisation. We are also available to discuss the impact on personal data of any change you make to your business.