Professional DPO Services - A Buyers Guide
The Regulations tell us which Companies must have a DPO but even if you are not required to have one, you can still appoint a DPO voluntarily. Many Organisations consider appointing a DPO is a measured and responsible decision.
Appointing a DPO demonstrates your commitment to Data Protection, especially when your business performs a lot of processing activity, or you process Special Category Data for Children or the elderly, even if the legal threshold of 'Large scale' processing has not been reached. A DPO can make your business life a lot easier and provide evidence of proper systems of Data Processing activity should an issue arise. However, a DPO does not have to be EMPLOYED.
Having a DPO on STAFF - Can lead to issues..
The cost of bringing a DPO on staff can be prohibitive. Generally it will be in the £50,000 - £100,000 per year range for a single individual who is properly qualified. This figure doesn't take into consideration Employers contributions, Pensions, Employee benefits or managing sickness, holiday cover or recruiting another one if they leave.
Also, a DPO must in Law have both the authority and the resources to effectively conduct their role. This has sometimes led to conflict within the Organisation, especially if Board Members resist being told to change their long established practices by a non Board Member or 'the new starter'.
Similarly, the power a DPO undoubtedly wields must be tempered with experience and maturity, they need excellent communication and interpersonal skills and sound business knowledge and experience, in addition to being experts in the Law. It is true to say the combination of all these skills are not available on every street corner!
Consequently, recruitment of a new full time staff member of this quality can be fraught with challenges.
Using a 3rd Party Organisation - An alternative.
Most Organisations recognise they need help with GDPR Compliance it is unusual at best for the necessary skill sets to be found within your existing staff members. Consequently, a professional 3rd Party DPO is often the right answer.
The Transition Law team has a great deal of experience in dealing with GDPR & Data Protection Matters. One of the most misunderstood areas of the GDPR is whether to engage a DPO and what are the benefits of doing so.
We understand that for many, the GDPR is a scary piece of legislation. The penalties currently being imposed can literally sound a death knell for a business because the fines can run to tens of thousands of pounds. Understandably, businesses are keen to keep on the right side of this high profile Law.
Data Protection compliance should not be a tick box exercise that, once completed you can forget. It should be a living breathing part of your business, which gets constant attention because it can and does change every day.
However, there are some major benefits to compliance, used properly a robust system of Data Protection is a powerful marketing tool which can bring serious advantages to your business but only if true value exists and the knowledge of how to use it is brought to bear.
Unfortunately, many organisations do not fully understand what a professional DPO can achieve so they do not even know how to recruit one. Before you decide to engage a DPO we recommend you at least consider these questions:
Questions you should really be asking
1) Do I really need a DPO?
This will depend on your business model and the amount of data you process. The legislation states when you MUST have a DPO but many organisations reap the benefits of choosing to appoint a DPO before they are required to act.
2) Even if you need a DPO, do you really need a DPO on staff?
A DPO is like any other Employee, you must fully understand their role in order to properly recruit one and you must also consider whether you can you cope if they go on leave, get sick or simply go to another job.
3) How can YOU know if a DPO can do the job?
Assuming you are not qualified to do their job (in which case you wouldn't need them) it is difficult to know whether they are any good. The rules say they must be an 'expert' in Law but apart from having a Law degree, there are no standard DPO qualifications. NB: Many DPOs are only really 'experts' in Computers and digital security, not the Law.
4) Can I afford the services of a 3rd party DPO.
The question of cost is always relevant, especially in SME Businesses. However, the benefits of correct and timely legal advice when set against the eyewatering levels of fines currently being issued by the Regulator can hardly be overstated.
That is not to say money should be wasted, we believe that regular contact with your personal DPO on the basis of a Service Contract, professional assessments, staff training and guidance when needed instead of a permanent and inflexible employment contract will stand most businesses in good stead to weather the storms of GDPR compliance and assaults on their Privacy systems by the general public, their competition and the Regulator.
5) Can I afford to get the new Data Protection Regulations wrong and risk a high fine and adverse publicity?
The short answer to this question is NO! There are plenty of examples now of individual staff members, Sole traders, Partnerships and Limited Companies that have been fined, their people disqualified as Directors and worse, for anyone to risk taking a Cavalier attitude to the penalties for Data Protection infringement.
6) Many businesses decide that the best (and most cost effective) way to proceed is to engage a 3rd party DPO.
The Regulations provide for the services of a DPO being arranged with a third party organsation. Once again there are questions to be answered, you should enquire about their experience and ability. Do they really understand the Law? Will they only speak to you via email? Do you have a named individual to speak with? Do they ever visit your premises to understand your business? Are they cheaper than a full time Employee? Have they any testimonials?
Consider using Transition Law as your DPO
Transition Law has been advising businesses on GDPR compliance since GDPR began. See Testimonials HERE
We have demonstrable expertise in Staff Training, Compliant Documentation writing, Data/Information Audits, DSARs - their use and response, DPIAs, Data Mapping and Data Breach avoidance and Management.
In addition we created S.H.I.E.L.D. the first compliance accreditation system in the UK. S.H.I.E.L.D. Membership is a prized award to any compliant business and has been awarded to Chambers of Commerce, Small businesses, individual sole traders, National and Multinational firms and Government NGOs.
For FREE impartial and most importantly the expert Legal advice about YOUR business needs CONTACT US today.
Benefits of Transition Law DPO Packages
At Transition Law we have been dealing with SME clients for many years. We understand there is no point operating a 'One size fits all' policy. all of our clients are different, in fact unique and the Data Protection Regulations REQUIRE that every Data Audit and Policy Manual is made BESPOKE to the individual business concerned.
We will NEVER send you a TEMPLATE Audit document and tell you change the name and address to your own, apart from being entirely unprofessional this approach is UNLAWFUL!
Each of our Packages is designed with your business in mind. They all benefit from the following TEN elements, which we call THE STANDARD TEN. Each one of the ten elements addresses a specific fault or an unacceptable situation we have seen in the marketplace for DPO Services.
THE STANDARD TEN COMPLIANCE ELEMENTS
1) A Named individual, who understands your business, for you to speak with.
2) Initial exploratory Data Audit and Gap Analysis at your place of business with a legally qualified professional.
3) Professional support with your ICO Registration and Transition Law named as your DPO.
4) Compliant Policy Documentation with supporting activity procedures.
5) Legally qualified staff. i.e. You will not be speaking with people who did a 2 day Online course to become a DPO.
6) Maintenance of Data Breach and Subject Access Register.
7) D.P.I.A. and L.I.A.T. assistance and Article 27 representation.
8) Introductory Staff Awareness Training INCLUDED in your package.
9) Initial Supplier Audit assessment INCLUDED in your package.
10) Initial Business Marketing Assessment and Advice INCLUDED in your package.
COMPARE OUR DPO SUPPORT PACKAGES
In addition to the inclusion of the above TEN points in all of our packages, we will also assist clients to make an assessment of how often they will need to contact their DPO for assistance after their initial assessments and upgrades to compliance.
Generally speaking a straightforward business, once established and compliant will probably need much less contact than a busy data-complex one.
NB: Although We have FOUR Packages because Data Protection is a LEGAL REQUIREMENT the minimum acceptable standard is FULL LEGAL COMPLIANCE so even our most basic package is called 'THE GOLD STANDARD.'
** Discounts available to any currently compliant business or existing S.H.I.E.L.D.Holder **
PLEASE NOTE: The above package outlines and suggested staff numbers are just a guide. We will have a detailed conversation with you about the appropriate level of support you will require.
NB: The BESPOKE Package is used most often as it is the most flexible whether for a large or small business.
All plans run on a 6 month basis (which means you are not committed to a full year's costs) and clients may switch from one plan to another at anytime as their business needs change, without incurring administration costs.
FOR MORE INFORMATION ON DPO SUPPORT AND TO TALK WITH
US ABOUT YOUR PERSONAL REQUIREMENTS CLICK HERE