Privacy as a Service
Our Privacy as a Service offering will support your business to develop a data privacy strategy and steer it through the complex array of different data protection regulations that might affect the organisation.
Service Descriptions
Virtual Chief Privacy Officer (vCPO)
A CPO directs a company’s data privacy strategy, helping to steer the business through the complex array of different data protection regulations that might affect the organisation concerned.
As your vCPO we will help your business to look for ways in which privacy can add value to the business, using it in a positive way to help gain a competitive advantage. The vCPO’s duties typically include:
- Providing strategic steer on all things Data Protection/ Privacy related.
- Keeping on top of the latest developments on the evolving data privacy landscape.
- Guiding privacy policies, processes, governance, and compliance.
- Managing, monitoring, and continually improving data protection measures.
- Driving privacy awareness within the organisation.
- Liaising with regulators and the media in relation to privacy matters.
- Helping to develop and maintain trust with privacy conscious consumers.
Virtual Data Protection Officer (vDPO)
We will register and act as the vDPO for the business by performing the roles and responsibilities assigned to me under Article 39 of the GDPR, e.g:
- Overseeing the establishment and maintenance of the personal data processing register (the so-called Article 30 record of processing [ROPA]) – GDPR Article 39(1)(a).
- Advising on the necessity for a DPIA, the manner of its implementation and outcomes – GDPR Article 39(1)(c).
- Providing guidance and support on data breach monitoring, management and reporting – Article 39(1)(a).
- Serving as the point of contact for data protection authorities (DPAs) and Data Subjects in relation to all relevant data protection issues – Article 39(1)(d) and (e).
- Providing advice and guidance on how to manage and respond to privacy rights requests from individuals (information, access, rectification, objection, erasure, data portability) – Article 38(4).
- Facilitating GDPR awareness training and the training of staff involved in data processing operations.
- Monitoring compliance with the GDPR – Article 39(1)(b).
- Spearheading and project managing the GDPR compliance programme for the business, including attending / heading steering committee meetings, etc.
Virtual Privacy Officer (vPO)
Providing support to the vCPO and / or vDPO on all Privacy related issues, including helping to run and manage the Privacy compliance project / plan for the business.
Virtual Cyber Security & Privacy Lawyer (vCSPL)
Providing independent legal advice and support to the client and/or vCPO vDPO so the client doesn’t need to consult with (costly) external lawyers.
The benefit of engaging a vCSPL is that there won’t be any need to sign separate engagement letters with external lawyers or to keep briefing new lawyers as the vCSPL will have access to the client and direct lines of contact (with a system of Chinese walls being implemented internally to avoid any conflicts) with the vCPO and/or vDPO.
Privacy as a Service (PaaS)
It’s also possible to subscribe to a mixture of the above services under the Privacy as a Service heading – please speak to a consultant for more information on this offering and we’d be more than happy to prepare a bespoke service offering and quote for you.
EU Representative Services
Under this annual subscription service, we will serve as your EU representative under Article 27 of the EU GDPR via our network of carefully selected associates. As your EU Rep, we will:
- Act as your local point of contact for any data subjects /supervisory authorities (SAs) in relation to all matters relating to your data processing activities;
- Register with all relevant local SAs and regulators – as required;
- Store a copy of and maintain a record of your processing activities (ROPA) as required under Article 30 of the EU GDPR and make said ROPA available to any relevant supervisory authorities; and
- Liaise with supervisory authorities on your behalf where required.
Cyber Essentials and IASME Governance Standards Assessments – which includes an assessment of ‘GDPR Readiness’
The GDPR provides for two processes under which organisations can demonstrate that their processing of personal data is compliant with data protection laws (thereby satisfying the accountability requirement under the GDPR), these are:
- Codes of Conduct; and
- Certifications Schemes.
Until recently, organisations have been unable to rely on the above processes because the administrative framework for gaining the requisite approval from the UK Information Commissioner (ICO) of a proposed code or scheme wasn’t ready.
However, since 27 February 2020, it’s been possible for UK organisations to submit their proposals for a GDPR code of conduct or certification scheme criteria to the ICO for their approval, but this process is both time consuming and expensive, so then the next best thing would be to focus on demonstrating compliance with any other recognised data protection / cyber security standards, e.g. the UK’s Cyber Essentials and IASME Governance Standards (which includes an assessment of GDPR requirements) which would be an affordable and achievable alternative to trying to evidence compliance with other international standards, e.g. ISO/IEC 27001.
We can help your organisation with the IASME Governance Self-Assessment which assesses your compliance with the Cyber Essentials scheme and your GDPR readiness. Once we’ve completed the assessment, your organisation should receive a certificate confirming your Cyber Essentials certification and your business would also be able to use the IASME ‘Governance with GDPR logo’ to demonstrate to your customers, and employees, that you take the protection of their valuable personal data seriously.
We can also help you to obtain any other relevant industry specific certifications, e.g. Cyber Essentials Plus, ISO/IEC 27001, BS 10012, etc.
Who can represent me?
