Virtual Data Protection Officer

Your own data protection expert

Do you handle sensitive, personal data? Do you need a skilled Data Protection Officer (DPO) but only for a few hours each month? Are you concerned about the legal obligations that a DPO must fulfil and worried that you do not have the skills to do this?
virtual CISO from Risk Evolves

Protecting your assets

Data is one of our most valuable business assets. A Data Protection Officer (DPO) will develop and nurture a culture of data privacy which will safeguard your organisation’s data. Doing so will help protect your finances and your reputation.

The benefits of outsourcing

As well as saving you money, using our virtual DPO service will ensure that:

You receive advice that’s completely impartial and easy to follow

You have access to a wider pool of GDPR specialists

You are fully informed about the latest data protection news

That you understand and act on changes in legislation

Your DPO is able to share best practice from other organisations

You aren’t left in the lurch in times of holiday or sickness

Your DPO is experienced in operating at board level

How a virtual DPO can help

A virtual DPO has exactly the same responsibilities as a full-time in-house DPO but will achieve them for a fraction of the cost. They will:

Ensure you have a robust data protection strategy that complies with GDPR and the UK Data Protection Act (DPA)

Ensure your staff have the knowledge and confidence needed to maintain compliance

Review and update privacy policies

Update your board on your organisation’s compliance posture

Maintain comprehensive records of data processing activities

Help you act quickly and decisively in times of crisis to limit their impact, such as fines or reputational damage

Conduct regular audits to prevent nasty surprises

Ensure that you have legal agreements with any Data Controllers and Processors

Rehearse breach scenarios to ensure that your organisation is prepared should the worst occur

Virtual DPO FAQs

A Data Protection Officer (DPO) is responsible for advising on data protection impact assessments, training staff, conducting internal audits and managing any other internal data protection activities. They normally also help control which members of staff and contractors have access to information. The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.

Should you have a breach, the Data Protection Officer has a critical role. They will be responsible for reporting to the ICO, providing enough information to minimise the risk of a fine and co-ordinating any external forensics. They will also advise senior management and marketing/PR in order to minimise the ripple effect of a breach, such as loss of customer trust.

Not every organisation requires a DPO. Under the GDPR, you must appoint a DPO if:

  • you are a public authority or body (except for courts acting in their judicial capacity)
  • your core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking) or
  • your core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences

However, some organisations that don’t have to appoint a DPO decide to do so as they see this as good practice or to meet clients’ expectations. Once in role, DPOs have legal obligations to fulfil, even if they have been voluntarily appointed.

If you don’t have a DPO, it is good practice to appoint a Data Officer to be the focal point for all data privacy related queries. We can act as a Data Officer for you via our Critical Friend service.

  • They are specialists with a raft of industry experience
  • They are always available when you need them
  • They’re impartial
  • They have experience of delivering training and internal audits
  • They can confidently handle difficult situations and breaches including providing reports to the ICO
  • They can help you think beyond compliance and seize new opportunities
  • They’ll help you effectively develop a culture of compliance across business functions
  • They’ll be abreast of the latest requirements, including changes to data privacy legislation post-Brexit
  • They can help you reply to Subject Access Requests (SARs) within tight deadlines

All our virtual DPOs are experienced in operating at board level.

Indeed. Article 37 of the GDPR makes it clear that businesses can outsource the DPO function, stating that, “The data protection officer may be a staff member of the controller or processor, or fulfil the tasks on the basis of a service contract.”

Virtual DPOs can help you with anything and everything related to GDPR, including:

  • Advising on ICO registration
  • Helping you complete Subject Access Requests (SARs) and Right to be Forgotten requests (RTBF)
  • Data Protection Impact Assessments (DPIA)
  • Drafting or reviewing privacy notices
  • Writing data protection policies
  • Providing training to employees
  • Managing crises, e.g. data breaches
  • Liaising with the ICO
  • Keeping you informed about changes/new requirements so you can maintain compliance

Prices start at £795 per month depending on the complexity of your organisation, the sensitivity of your data, the volume of records held and your current compliance.

This includes a monthly meeting and ad hoc calls and emails, as required.

There’s a minimum contract term of six months.

You can appoint a member of your staff as a DPO. This cannot be a member of management nor a member of your IT department, yet needs to be someone who is extremely trustworthy, robust enough to drive compliance and interested in the subject.  Please note that an in-house DPO will enjoy special protection against dismissal.

Don’t worry if you need a Virtual DPO in a hurry. After an initial call, we’ll design a package to suit your needs and send you a contract to sign. Within 24 hours of receiving your signed documentation, we can start to act as your Virtual DPO.

As your business grows, you may find yourself needing a full-time DPO. If so, we’ll happily provide any training they may need, including a full handover and any support to help them through the transition period. Our GDPR Critical Friend service will provide you with holiday and sickness cover as well as providing your new recruit with access to a second opinion from someone who already has a good understanding of your business. 

Yes, you should contact your nominated DPO. If they are not available, we will brief another of our virtual DPOs so they can provide emergency support.

View our standard support times. Please note, out of hours support can be provided, if required.

Testimonials

Case study