Demonstrating that data privacy is important to your organisation starts at the top. Through executive briefings, comprehensive compliance reports. CLF Consulting can help you understand the impacts on your business and recommend how data privacy should be managed on a day-to-day basis.

If you’re reading this and the worst has already happened; call us on [tel] to discuss how we can help you manage your current situation, as well as giving you advice and liaise with Regulatory bodies about their breach notification.

We spend time getting to know your business, any high-risk areas, operational restrictions etc. We then discuss and plan a programme of training to suit your operational and budgetary requirements.

Benefits of bespoke training:

• Include reference to organisation specific policies and procedures
• Subject and/or Function specific e.g. HR, Procurement, Requests for data
• Tailor-made to reflect needs of the business (time as well as topic)
• Regulatory expectation
• Develop CBT (Computer Based Training) which can be either stand alone or integrated into your LMS (Learning Management System)
• 1-2-1 training with DPOs and employees with compliance specific roles and responsibilities

Under the new EU General Data Protection Regulation, Public Authorities and companies who process large volumes of personal data and/or process special categories of personal data must have a designated Data Protection Officer. The DPO must be adequately qualified, in particular an expert knowledge of data protection law and practice.

In most businesses data protection administrative responsibilities are delegated to capable employees. Sometimes these are qualified data privacy professionals, but predominantly not. As a business you must ensure that the support, tools and budgets are available to them in order to carry out this role effectively.

It is also important to note that even when DPO responsibilities have been delegated, the overall responsibility of data protection compliance stills remains with Senior Management.

From experience, the DPO role can be very isolated and often challenging. Especially when:

• business decisions, which effect data protection obligations, are not influenced by the delegated individual, or
• you haven’t had this particular query before, or
• it has been several months since you last dealt with a request for information, or
• your full-time role does not give you the freedom to fulfil your data protection role adequately.

Our mentoring service, with your commitment, enables us to work alongside that individual and equip and prepare them to carry out the basic administrative tasks; helping to affirm them and give them confidence in the subject.

Following discussions with you about your business, your data protection obligations and the nominated individual – we would prepare a mentoring package that we believe is suitable for your business.

To book a mentoring session or discuss our DPO Mentoring programme please call 07793600650 or email us on clairefisher@cflconsulting.co.uk.

Following an initial meeting to understand your needs, and a possible compliance assessment, CLF Consulting provides your business with a summary of compliance activities suitable to your business and agree which we will carry out on a sub-contract basis.

Under the new EU General Data Protection Regulation, Public Authorities and companies who process large volumes of personal data and/or process special categories of personal data must have a designated Data Protection Officer. The DPO must be adequately qualified, in particular an expert knowledge of data protection law and practice.

DPO services may include all or some of the following, all of which CLF Consulting can support you with:

• Act as the organisations DPO (under contractual terms of the General Data Protection Regulation)
• Compliment or support designated DPO to deliver on specific programmes (short or long term)
• Regulatory administration
• Processing requests for personal data
• Induction and on-going training
• Liaising with the Regulatory body(ies) in the event of a breach
• Policy & Procedure review and/or writing
• Advice and guidance on specific issues, risks or concerns
• Third Party Processing selection and contractual guidance
• DPO training and mentoring

CLF Consulting works with organisations to help them protect the privacy of their data. These services typically include:

• Working on policies; assessing 3rd parties; exec-level reviews/advice, advisory; liaising with Regulatory Bodies; breach management strategies and/or management
• Compliance health checks (PIA)
• Procedure and policy review and/or writing
• Advice and Guidance on specific issues, risks or concerns
• Assist with selection and contractual requirements when engaging with 3rd Party Service Providers
• Processing requests for access to personal data
• Advice and liaise with Regulatory bodies in the event of a breach notification
• Provide training and awareness programmes
• Act as a Data Protection Officer (DPO)
• DPO mentoring and support services

Executive Presentations

Understand what the law says and your organisation’s responsibilities towards data privacy and protection. Executive Presentations are an ideal start to your company’s commitment to Data Protection as they give board members an overview of the legislation, how this impacts organisations and directors’ responsibilities to manage and minimise the risks.

Many companies also benefit from further presentations after Privacy Impact Assessments as well as understanding the implications and remedial action required following a data privacy breach notification.

Health Checks / Privacy Impact Assessments (PIAs)

Most businesses are not aware of the volume of personal data they are processing or the risks associated with it.
PIAs are a useful tool to help organisations to view their processing practices in full and properly consider and address their privacy risks. It is also a great way to recognise good practice. These practices can often be duplicated throughout a business allowing consistency in policy and process models.

When carrying out a PIA we spend time on-site getting to know your business, talking with employees and reviewing your current policies and procedures. A report is then produced identifying key risks, the potential costs of these risks to your business and recommendations to mitigate them. We will continue to work with you, where you choose, to implement any necessary changes.

Following an initial PIA it is recommended that these be carried out on an annual basis to ensure that good practices are being maintained and there are no new risks within the business. This is also a requirement of the new EU General Data Protection Regulation. On-going support can also be factored in to your risk strategy/solutions should you require it.

PIAs can be carried out for full or parts of your business operations and we also offer Executive Briefings to present the findings to your management team.

Consultancy

Experience has taught us that the best data protection practices take into account the people and processes within an organisation. Data Protection is a confusing subject and if misinterpreted or ignored can lead to financial as well as operational penalties. In some cases, this could attract fines of up to 4% of turnover or €20m.

Our consultancy services provide you with a practical way to manage your risks, whether that is on a short or long-term basis. These include:

• Compliance audits
• Procedure and policy review and/or writing
• Advice and guidance on specific issues, risks or concerns
• Assistance with selection and contractual requirements when engaging with 3rd Party Service Providers
• Processing requests for access to personal data
• Advice and liaise with Regulatory Bodies in the event of a breach notification
• Provide training and awareness programmes
• Act as a Data Protection Officer (DPO)
• DPO mentoring and support services

Subject access is one of the main rights of the Data Protection Act. It gives people the right to access any personal information you have about them. This is not just within HR but all systems; manual and electronic and does include email. Access requests may also be received from third parties but whom can you legitimately release this information to?

What is a Subject Access Request (SAR)?
Who should process a SAR?
What information should be released?
What information should not be released?
Timeframes for disclosure
Audit trail and record retention

As an employer, you have responsibilities to ensure your employees’ personal details are respected and properly protected.
What the Data Protection Act means to an employer
Recruitment and selection
Employment records
Monitoring at work
Information about workers’ health
Outsourcing
What rights do workers have?

This course is designed to break down the barriers between legislation and good business practices. We will go back to basics, looking at the history of the Act, what is expected of you, how the pending changes to the Act may influence processing practices and also give you some practical ideas and solutions to maintaining compliance within your business.