GDPR - Governance - Risk - Compliance
Compliance & Data Protection as a Service
Privacy Management Programmes to Support your Organisation
Compliance & Data Protection as a Service
Privacy Management Programmes to Support your Organisation
What We Can Do For Your Organisation
Data Protection Officer As A Service
Whilst not all organisations are required to appoint and register a DPO, they must nominate somebody to be responsible for compliance with UK GDPR. Outsourcing your DPO requirement not only demonstrates a serious commitment to compliance but can be a much more affordable and productive solution. Under Articles 37 to 39 of UK GDPR the DPO is required to be independent and have expertise in data protection law. Using the GRC as your DPO ensures activities are:
- free from internal influence reducing the risk of conflicts of interest
- reduces the burden of compliance on senior managers
- provides confidence that you have an accredited and certified professional in post; and
- reassurance that your DPO is obligated to keep bang up to date with changes to the law and best practice in privacy management with the International Association of Privacy Professionals (IAPP)
Our model means we can tailor a flexible solution to suit the requirements of your individual organsation.
Data Protection Audits
Data protection audits are designed to give you an independent assurance that you're meeting the requirements of the law, where you may be falling short and importantly recommendations to remediate or improve. If audits are incorporated as part of your privacy management programme, they can become far less onerous. We can supply a one off audit or incorporate into the DPO as a Service contract
DPO Support Helpline
The helpline is included as standard part of our DPO as a Service. It can also be provided as a stand-a-lone service. A small monthly retainer provides comfort to senior managers responsible for data protection within an organisation providing access to timely advice and support when you need it most.
UK Representative for GDPR Compliance
Article 27 of UK GDPR requires controllers and processors not established in the UK to designate a representative based in the UK to handle liaison with the ICO and data subjects. We can be retained as that representative to ensure you meet this requirement without adding significant costs to your business.
Training and Awareness
Ensuring staff involved in the processing of personal data receive continuing privacy education (CPE) and development is an important requirement of UK GDPR. Staff are often both your greatest asset and greatest risk in data protection. We can provide a range of training services to suit your organisations bespoke requirements.
General Policies and Governance
We don't just support privacy compliance. We can help organisations with risk assessment and develop good governance procedures and policy implementation. These will help you meet requirements such as anti corruption legislation; the Bribery Act, the Criminal Finance Act and supply chain matters such as modern slavery legislation. Having a demonstrable clean bill of health in terms of compliance can be especially valuable when preparing your business for acquisition.
Our Partners
We have developed strong relationships with commercial lawyers, HR specialists and FCA compliance consultants who can be brought in to provide a 360 degree solution should the scope of work require it.
Recent Breaches and Fines
Halfords Limited
Date: 6 September 2022
Type: Monetary penalties
Sector: Retail and manufacture
The monetary penalty has been issued because on 28 July 2020, a confirmed total of 498,179 unsolicited direct marketing messages were received by subscribers, having been sent by Halfords. These messages contained direct marketing material for which subscribers had not provided valid consent, furthermore the Commissioner is satisfied that Halfords cannot rely on the soft opt-in exemption. The Commissioner received a total of three complaints regarding this campaign.
The monetary penalty notice is for £30,000.
Tuckers Solicitors LLP
Date: 10 March 2022
Type: Monetary penalties
Sector: Legal
The monetary penalty has been issued because of a contravention by Tuckers of Articles 5(l)(f) of the GDPR. The Commissioner finds that, during the period of 25 May 2018 to 25 August 2020 ("the relevant period"), Tuckers failed to process personal data in a manner that ensured appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. .
The monetary penalty notice is for £98,000.
Energy Suite Limited
Date: 20 January 2022
Type: Monetary penalties
Sector: Land or property services
Energy Suite have been fined for making over 1,000 unsolicited direct marketing calls to subscribers who were registered with the TPS and who had not notified Energy Suite that they were willing to receive such calls, and to three complaints being made as a result.
The monetary penalty notice is for £2,000.
Virgin Media Limited
Date: 08 December 2021
Type: Monetary penalties
Sector: Online technology and telecoms
On or around 4 August 2020 there were 451,217 direct marketing emails containing the Marketing Preference Reminder received by subscribers. The Commissioner finds that Virgin Media transmitted those direct marketing messages.
The monetary penalty notice is for £50,000.
Your Home Improvements Ltd
Date: 22 September 2021
Type: Monetary penalties
Sector: Retail and manufacture
Your Home Improvements Ltd have been fined for making 1,718 unsolicited calls for direct marketing purposes to people who were registered with the Telephone Preference Service (TPS). This resulted in 4 complaints being made to the TPS and the Commissioner.
The monetary penalty notice is for £16,000.
We Buy Any Car Limited
Date: 15 September 2021
Type: Monetary penalties
Sector: Retail and manufacture
The ICO has fined We Buy Any Car Limited. It sent 191.4 million marketing emails and 3.6 million marketing SMS messages to individuals without fully satisfying the requirements of the soft opt in, resulting in 42 complaints to the Commissioner, over a period of twelve months.
The monetary penalty notice is for £200,000.
ColourCoat Limited
Date: 23 June 2021
Type: Monetary penalties
Sector: Land or property services
There have been multiple breaches of Regulations 21 and 24 of PECR by ColourCoat Limited arising from its activities over an eight month period and this led to a substantial number of unsolicited direct marketing calls being made. Between 1 August 2019 and 31 March 2020 there were 969,273 connected calls, equating to an average of 121,159 calls per month or 29,372 calls per week. This includes 452,811 connected calls to numbers on the TPS or CTPS Registers, equating to an average of 56,601 calls per month or 13,722 calls per week.
The company was also issued with an enforcement notice
The monetary penalty notice is for £130,000.