Data Protection Officer as a Service

For Relate Federated Centres

Service overview

Black Penny have constructed the Data Protection Officer (DPO) as a Service model around a proactive and reactive approach. With the operations of the Relate Federated Centres in mind, Black Penny can offer a commercially viable service that benefits from economies of scale with the continuity of a Data Protection Officer service.

As part of an annual subscription service, the Centre will be assigned a dedicated DPO who will serve as an independent data protection expert as set out in UK Data Privacy Legislation.

Black Penny have modelled the service to include a reactive response for both data breach incidents and Data Subject Rights Requests alongside proactive governance for legislation updates, awareness and UK Data Privacy Legislation alignment activities.

Benefits of an outsourced Data Protection Support Service

  • Cost effective way to procure a Data Protection Officer
  • Access to independent expertise and advice with cross sector experience and in depth Relate knowledge
  • No conflict of interest between the Data Protection Officer and the organisation
  • Best practice guidance aligned to UK Data Privacy Legislation
Service Inclusion
Data breach response management
Data Subject Rights/Information Request advice
Data privacy complaints management
Data Protection Impact Assessment assistance
Data privacy general queries
Quarterly data privacy webinars
Relate Data Protection Toolkit guidance
The Compliance Space
Total£500 per month*

* Each contract will be for a minimum of 12 months to allow Black Penny to resource appropriately and offer the economies of scale that will benefit the Centre. The service is modelled and priced for a half day (4 hours) of consulting per month. Any requirement for excess days will be agreed in advance.

Data breach responseThe Data Privacy Legislation introduces a duty on all organisations to report certain types of personal data breaches to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible. As a result, the service will guarantee a 12-hour response to assist with any breaches and act as the conduit between the Centre and the ICO or any data subjects.• Development of Breach Response Processes.
• Service modelled on 4 serious breaches annually, each being 3 days, a total of 12 days for breach.
• Breaches will be responded to onsite or remotely.
• All breaches will be captured by the DPO in an agreed Data Breach Register, ideally https://www.thecompliancespace.com.
12-hour response is acknowledgement of a serious breach & initial triage call.
• Breach reports will be from the nominated individual within the Centre.
• DPO acts as conduit with the ICO and data subjects affected, if applicable.
Data Subject Rights or disclosure request adviceThe Data Privacy Legislation introduces a duty on all organisations to respond to all Data Subject Rights Requests (DSRR). A DSRR can be made by any individual if they are able to prove their identity and provide detail of what they are requesting, such as access to their personal data. You must respond to all DSRR’s within 1 calendar month of receipt. In the event that the DSRR is complex or excessive this may be extended by a further 2 months. As a result, the service will guarantee a 24-hour response to assist with DSRR’s, including how to run the process, how to engage with the data subject and how to respond. The service does not include the review of personal data or redaction of that data, so that the DPO remain impartial. • Development of DSRR Response Processes.
• 24-hour response is acknowledgement of complex DSRR or minor breach & initial triage call.
• DSRR’s will be from the nominated individual within the Centre.
• DPO will inform the Centre on the best course of action for the DSRR but will not complete the discovery exercise or redaction process.
Data Protection Impact Assessment assistanceThe Data Protection Impact Assessment (DPIA) is a tool designed to assess risk in any new or changing data processing activities. It also includes a thorough review of any new or changed data systems or third parties, that may process personal data.
The DPO will work closely with project leads and key stakeholders within the Centre to complete a DPIA. This will include an assessment of any risks associated with the project and providing suggested mitigations.
• Development of DPIA Processes.
• The DPIA request will be from the nominated individual within the Centre.
• DPO will assist with the completion of the DPIA, including suggested mitigations to any identified risks. This will require the input of key stakeholders from the Centre.
Data privacy general queriesBlack Penny recognise that data privacy is a wide discipline. The service has been modelled to include a response to general data privacy queries that originate from the Centre.
The DPO will have expert knowledge of the UK GDPR and Data Protection Act 2018 and how these laws apply to Centres.
Black Penny have been working with Relate National, as the named DPO for many years and, as such have amassed a wealth of knowledge for the common data privacy queries and concerns.
• Direct contact with the DPO.
Quarterly data privacy webinarsBlack Penny believes that the best way to work in accordance with good data privacy practices, is via knowledge sharing.
The service includes a quarterly webinar for all subscribed Centre’s. The webinars will vary but will commonly include:
• Data privacy training.
• Legislation updates
• Topical taking heads, such as data sharing, information requests and good notes practices.
• 1 webinar per 3 months.
• Invite will be open to any subscribed Centres and their employees.
• Sessions may include question and answer, the DPO will set the agenda in advance.
• Webinars will be provided using the Zoom.
Relate Data Protection Toolkit guidanceRelate National have developed a Data Protection Toolkit, that is available to all Centres via Relate Source. The toolkit includes a step by step guide on how to align to data privacy legislation, with out of the box templates for data privacy policies and processes.• The DPO will provide guided sessions directly with the Centre's named individual and walk the toolkit through.
The Compliance SpaceAs part of the service the Centre will receive access to and training on The Compliance Space.
Visit https://www.thecompliancespace.com for further details
• Training and best practice guidance for the online service framework, tools and processes.

Register your interest

To register your interest for Black Penny Data Protection Officer as a Service please complete the form below and we will be in touch for next steps.

    This detail will be used to contact you to inform you of the service next steps and invite you to complete your subscription. Your details will not be shared with any third parties and will be deleted after 2 attempts to contact you to subscribe for the service.