Services

This is an Internal Audit of the organisation to validate that your data protection programme and practices are in line with the requirements of the GDPR, other data protection legislation and industry standards best practice as appropriate. This internal audit of the organisation will pinpoint any area (s) of non-conformity (e.g. greatest risk, weaknesses etc) but equally to record findings of good practice and put forward recommendations for necessary improvement and compliance with regulatory obligations. 

This consists of an assessment of your organisation’s privacy management and data protection practices, assessing the maturity of its accountability framework, board-level involvement and the culture of privacy risk management at the organisation. An assessment is made of the organisations’

compliance with the data processing principles for processing personal data; the requirements for controllers and processors; appropriate technical and organisational measures that have been implemented and/or is operational within the organisation and cross-border data flows. This takes place through an on-site visit at your organisation's registered offices.

 A review is undertaken of all Appropriate Policy Documents (APD) that are in place at the organisation. An assessment is made as to whether the organisation processes any special category data for the purposes of social security, employment relationships or other relevant requirements, and where it does, review any APD in place that meets the requirements of the Data Protection Act 2004 (Gib) or DPA 2018 (UK) and any other privacy laws that applies in a domestic context.

For any APD that any organisation may have in place, this will be reviewed to determine whether it explain how the organisation secures it compliance with the data protection principles of GDPR; organisational policies for deleting and retention of personal data and how the APD will be reviewed and updated. 

This is a process which is designed to assist an organisation to systematically analyse, identify and minimise data protection risk of a process, system, project or plan, prior to the processing operations on protecting personal data. It helps organisations to assess and demonstrate how they comply with all of its data protection responsibilities for types of their processing activities that are likely to result in a high risk to the rights and fundamental freedom of individuals. 

This forms part of the new requirement for greater accountability from organisations and being able to demonstrate that the organisation complies with the GDPR. It is a fundamental element of data protection by design and organisation taking appropriate measure to implement these, linking these to their change management processes which reflects a more risk-based approach to data protection obligations under the GDPR. 

Are you in control of your data? For all major processes that handle personal data, an organisation must understand the data items formats, transfer methods and location of personal data. (Where does the data come from, how is it processed, where is it transmitted and how, where is it processed/stored) and conduct an assessment for the most important processes. This part of the project also helps confirm scope (if key processes stretch beyond previously identified scope, revisit scope). It also flushes out issues about identification of controller-processor relationships.

 Assess the organisation’s handling of data subject rights and associated requests.  

Distinct from a Freedom of Information (FOI) request- public access to information held by public authorities. Access to their own personal data should be made through a subject access request. In particular, the provision of support in respect of facilitating specific queries relating to complex requests. Further details are provided at initial scope of work meetings and discussions with clients.   

The GDPR requires all public authorities in the EU and private organisations alike, to appoint a DPO to help with the organisations' data protection compliance. Though the Regulation does not require such an appointment in every circumstance, it is highly recommended as a matter of best practice and to demonstrate compliance. 

At W & H, we understand how to implement and manage data protection programmes and have expertise in national and European data protection legislation which includes the GDPR. We aim to understand your organisation’s technical and governance structures, administrative rules and procedures in the event of a public body or authority and is familiar with information technologies and data security. The more complex or high-risk your data processing activities, the greater the expertise which will be needed by your organisation. We provide an external independent DPO support service to organisations.  

 There are multiple forms of risk that organisations must assess and manage; for instance, privacy (risk to individuals that has the potential for damage or distress; financial; GDPR (reputational impact of a data breach); strategic risk and so on. Data protection/privacy risk should be included in the organisation’s risk management framework and be on your organisations' corporate risk register. W& H can assist your organisation to put these key documentation and logs in place.   

  Assess the state of your GDPR documentation in relation to privacy – review privacy notices, DSAR documentation, records of processing, etc and so we ask to see copies of any core data protection documentation you may have (e.g. data protection policy, privacy policy, fair processing notices, subject access requests, as part of a review of your organisations record keeping, documentation and logging requirements. Further details are provided at initial scope of work meetings and discussions with clients. 

Understand the maturity of the organisation’s security management / security posture – which security frameworks are in place, how does management assurance work in relation to information security, which aspects of ISO 27001 are in place, what controls are there and linked to privacy.

Further details are provided at initial scope of work meetings and discussions with clients. 

If the organisation is based in the UK or Gibraltar and do not have a branch, office or other establishment in any other EU or EEA state, but either: offer goods or services to individuals in the EEA; or monitor the behaviour of individuals in the EEA, then the organisation will still need to comply with the EU GDPR regarding this processing even after Brexit.

As you will not have a base inside the EEA after exit date, the EU GDPR requires the organisation to appoint a representative in the EEA. This representative will need to be set up in an EU or EEA state where some of the individuals whose personal data you are processing are located, to act as your organisations direct contact for data subjects, EU and EEA supervisory authorities.  

Organisations do not need to appoint a representative if either: you are a public authority; or your processing is only occasional, or low risk to the data protection rights of individuals and does not involve the large-scale use of special category or criminal offence data.  

We provide online-virtual, classroom (public) as well as in-house training to organisations and individuals in a wide area of data protection. For further information and to discuss your training requirements, please contact us via email information@westfieldherent.com