GDPR and Data Protection Officer Solutions
We deal with personal data and have a range of either digital tools or briefing and training and awareness sessions, audits and Data Protection Officer Services.
Equinoxx has a proven track record of working successfully throughout any sized organisation and can advise and bring together all the functions of the business in order to ensure overall and ongoing UK GDPR compliance.
For organisations to achieve ongoing compliance and privacy by design and to embed this cultural shift in how everyone from the board down and throughout the organisation views and deals with personal data Equinoxx have a range of either digital tools or briefing and training and awareness sessions, audits and Data Protection Officer Services.
"There is no silver bullet to ensure GDPR compliance, but arguably the biggest change is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation"Elizabeth Denham, the UK’s Former Information Commissioner.
A two-hour session covering the basic principles of the UK GDPR in terms of the risks, penalties, data subject rights, including a cyber threat overview. This ensures the organisation sets the tone from the top down.
sessions delivered to all staff to evidence they have been briefed on the Regulation and have an understanding and where necessary the correct knowledge and training. This will need to be evidenced and shown as part of the organisation’s ongoing training policy. This is a vital part of the cultural shift in a business as it enables every employee to understand the "why".
45-minute online course that includes knowledge checks and final test. The certificate is valid for 2 years.
This produces a remediation/action plan and helps to identify the organisation’s current position in terms of compliance.
A data inventory and data flow map of your company’s personal data, which will plot data in all of its forms, origins, paths, exit points and storage locations, giving an indication of where personal data exists in your network infrastructure and devices, servers, endpoints and protocols, and all data exit points (including firewalls, printers and endpoints where sensitive information can be copied to portable media).
Understanding how and when to use a DPIA and their usage as a risk assessment tool.
To ensure the necessary documentation and evidence of compliance.
To understand if a DPO is required and how they need to work in terms of access, workload, internal and external contacts.
To understand what level of risk personal data is exposed to and to mitigate those risks, if needed.
An audit that can be carried out annually. It will measure an organisation’s current situation in terms of compliance and help to ensure that the UK GDPR has not been seen as a one-off box ticking exercise and ongoing continuous improvement, measurement and analysis are taking place. This one-day audit will take a comprehensive look at all aspects of the UK GDPR and the current processes, procedures and policies that have been adopted and utilised within the organisation. This will ensure that compliance is being applied, unforeseen risks are being identified and managed accordingly. The DPO audit team will examine documentation, review organisational processes and conduct key staff meetings where applicable.
Given the evolving nature of the UK GDPR and complexity of its interpretation, many businesses would not have the immediate resource to effectively undertake this Data Protection Officer role. Consider for example, would your organisation be able to:
The GDPR introduces a duty for you to appoint a data protection officer (DPO) if you are a public authority or body, or if you carry out certain types of processing activities. DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority. The DPO must be independent, an expert in data protection, adequately resourced, and must report to the highest management level.Information Commissioner's Office
Assigned virtual DPO - 4 hours per month to include:
Assigned virtual DPO - 7 hours per month to include:
Assigned virtual DPO - 10 hours per month to include:
Access to one of Equinoxx's virtual DPOs allows you to subscribe to a monthly service giving you access to an accredited UK GDPR Practitioner via online meeting, telephone or email to provide initial expert guidance and advice on data protection and UK GDPR related questions within your business, through a cost-effective managed service.
The DPO is required to have access to all areas of an organisation without a conflict of interest (Article 38 (6)), work independently without instruction (Article 38 (3)) and will require detailed expertise in the UK data protection legislation to fulfil the role. When engaging the Equinoxx outsourced DPO service we will assign you a specific UK GDPR practitioner, who will work closely with your organisation to monitor/inform/advise of ongoing UK GDPR compliance.
The UK GDPR requires that “the controller shall seek out the advice of a Data Protection Officer, where designated, when carrying out a Data Protection Impact Assessment” (Article 35) When an organisation identifies the requirement for a DPIA the Equinoxx DPO will consult on the assessment in line with the regulation when looking to implement a new project or initiative.
As emerging case law further defines the interpretation and application of UK GDPR, the very nature of the regulation will be subject to change as it is interpreted, derogations are set and amended in different member states (Articles 85-91). Ensure that your organisation is kept up to date with the ever-changing UK GDPR landscape via Equinoxx notifications.
Depending on your service plan, Equinoxx will conduct onsite audits at regular intervals to ensure that compliance is being applied, unforeseen risks are identified and managed accordingly. The Data Protection Officer audit team will examine documentation, review organisational processes and conduct key staff meetings where applicable (up to 8 hours is required for the audit; these can be achieved in 4 weekly 2-hour sessions).
DSARs handed to organisations will be presented in a variety of guises, for example; a disgruntled ex-employee wanting their personnel records, possibly a competitor wishing to disrupt operations, or simply a customer inquiring what personal data you hold. The Equinoxx Data Services Data Protection Officer will advise on the management of how to handle DSARs, covering areas which could range from:
All new or existing staff can be your greatest asset; however, they can also be your greatest risk due to the personal data they will encounter throughout the course of their duties. Equinoxx provide expert education and awareness sessions on the evolving regulations (frequency based on your service plan) to ensure that all staff are trained in how to identify personal data within their remits and the organisational processes required to be compliant in line with GDPR (1-hour session for up to 30 staff).
The initial challenge organisations face is determining how to proceed when a breach has occurred. Under UK GDPR, you have 72 hours to notify the ICO once you have discovered a breach, however not all breaches are notifiable if they are not likely to impact the rights and freedoms of individuals, which presents significant challenges when deciding if this is the case without possessing expert knowledge and support. Your Eqxuinoxx Data Protection Officer (DPO) will advise and guide you in determining the circumstances surrounding the breach and whether the ICO need to be notified. Our UK GDPR practitioners will act as your organisation’s main point of contact with the supervisory authority and data subjects, who also need to be contacted directly when a “high risk” breach occurs, without undue delay.
During a breach investigation, the source and nature of the breach may not be immediately apparent and as such has the scope to increase in complexity within a short time frame. The DPO will be required to make necessary site visits to conduct further investigations and to guide the organisation through this turbulent period. We will help you understand the nature of the incident in relation to the regulation, the required communication with both internal and external parties, and provide clarity on the action required to recover from a breach.
Identifying, managing, and ultimately reducing risk is a key component of an organisation’s compliance. The DPO will consult with your organisation to compile a centralised register of data protection privacy risks, scoring those risks appropriately according to the organisational risk appetite and the resulting action required on their resolution as part of a wider compliance framework.
The UK GDPR holds those at the top of an organisation responsible for its compliance through proper governance. If an organisation is non-compliant at worst it could be subject to significant fines of up to 4% of global turnover or £17.5 million whichever is greater, but an organisation may also suffer organisational sanctions and the resulting reputational damage which can be crippling.
Euinoxx will provide a comprehensive onsite board brief on your UK GDPR compliance status. The brief will highlight the current risks involved, the importance of good governance in UK GDPR compliance, which will ultimately help enhance the organisation’s public image and install confidence that consumers' data is being handled appropriately.
Following Russia’s invasion of Ukraine, the National Cyber Security Centre is calling on UK organisations to strengthen their online defences. Organisations should review their cyber security defences and take actions to improve their resilience in this time when the cyber threat is heightened.
The ISO 27001 standard provides the framework for an effective Information Security Management System (ISMS). It sets out the policies and procedures needed to protect your organisation and includes all the risk controls (legal, physical, and technical) necessary for robust IT security management.
By becoming certified companies are showing a commitment to ensuring that adequate security controls are in place to protect information and data from being accessed, corrupted, lost, or stolen.
Through ISO 27001 certification, your company can demonstrate compliance with internationally recognised standards of information security.
An Information Security Management system demonstrates your compliance with internationally recognised standards of information security, helping you to fulfil your legal obligations and comply with various regulations.
It keeps confidential information secure by putting in place detailed security policies and access management, allowing for the secure exchange of information.
The Standard manages and minimises risk exposure, providing customers and stakeholders with confidence in how you manage risk.
It enhances customer satisfaction, which improves client retention.
Businesses get buy-in from your employees and stakeholders, building a culture of security.
It protects the company, assets, shareholders, and directors.