We work with you to deliver practical compliance solutions that are proportionate to your organisation’s scale and activities. Our Data Protection engagements typically comprise of one or more of the following

• A GDPR maturity assessment or gap analysis,
• Identify key factors that may pose a risk to your organisation,
• Provide informed advice and recommend solutions,
• Policy & process review,
• Contractual review of suppliers
• Training,
• Critical event support; Access Requests, Litigation, Breaches, representation with the DPC,
• Outsourced DPO services.

first will be pleased to provide the appropriate level of support to suit the needs of your business.

If you process personal data and believe that you policies, processes, practices or documentation may require improvement to comply with the GDPR or law, a gap analysis is an essential action for you.

We take the complexity out of these changes by providing a fixed price gap analysis of your business and identifying the actions that you need to take to stay compliant and to manage associated risks. With extensive business, regulatory and data protection expertise, we include a risk based approach to identify the key areas that may expose you to harm.

We analyse organisations in the context of their scale and nature, and changes are often less cumbersome than our clients initially expect.

Reviews are carried out by an Institute of Banking Certified Data Protection Officer and include;

• Site visit – to understand your business and the individual factors that may expose you to GDPR related risk.
• A detailed review or current documentation
• Identification of compliance and risk mitigation actions
• Written report detailing recommendations

Contact us now and we will provide you with a cost effective* review package.

*Prices will vary subject to the nature, scale and location of your organisation

There are many approaches to the provision of data protection oversight in an organisation. A Smaller organisation may simply need a Data Protection Representative, while others are mandated to have an Data Protection Officer DPO, some may volunteer to appoint a DPO and international businesses may require EU representation. Outsourcing these positions avoids the challenge and cost of recruiting a full time DPO or representative.

We bring a depth of  data protection and business experience to fulfill these roles. We will work closely with your management team to provide advice on GDPR related events and oversight of your compliance process. Your outsourced DPO or representative will get to know your business and provide advice and support to protect your organisation from unnecessary harm.

We will always commence an engagement by discussing your requirement with you to understand how we can complement your current resource and provide a level of support that is right for your organisation.

Access Requests or Breaches are the most likely events to trigger a liability for a controller. There are two key things that a controller needs to be conscious of;

• Timing – these events have strict timelines; missed timelines = a compliance breach
• Structured process – there are a structured processes and established norms for these events, be prepared

Access request from a subject; this is typically the first touch point from staff /customers to a legal action. You have one month to respond and need to follow the process tightly to prevent the subjects legal advisors form using this against you. There is also much ‘over analysis’ of the data that needs to be provided. It is the personal data of the subject (not work data – this has been established in the courts) and there are other exemptions and restrictions to consider. If in doubt take advice early in the process,

Access Request form a state authority; this form of access is by its nature an investigation of an unlawful activity or a criminal offence. Ensure that the obtaining of personal data from you is lawful to avoid inadmissibility in court or liabilities on your behalf. Be conscious that the provider of this data may be required to attend court as a material witness. Be prepared.

Data Breach; the key to managing breaches is to get the timing right; you have 72 hours to report to the Data Protection Commissioner. A risk assessment will dictate whether a report is necessary, and whether the Subjects need to be informed and advised by you. Act quickly, waiting until the next the next day is losing valuable time

We take you through a pragmatic process to identify areas that need attention. Our process will accelerate your pace of change, minimise risk to your organisation and enable you to demonstrate compliance. We assess;

• Where are your exposures under GDPR and what are the likely consequenses
• What actions need to be taken
• What processes, policies and technology need to be updated to deliver an enduring process.

first will take you through a structure process to deliver;

• A GDPR Maturity Summary with high level analysis
• A roadmap for your organisation
• Guidance on your requirement for an Impact Assessment
• Key recommendations

The completion of a DPIA is mandatory for businesses that manage certain forms of personal data. It is required where;

• Considering the nature, scope and context of the purpose for processing personal data, it is likely to result in a high risk to the rights and freedoms of the subject
• Systematic and extensive evaluating (profiling) of persons based on automated processing
• Systematic monitoring of publicly accessible areas
• Your kind of processing is on a list published by the DPC

A DPIA must be completed prior to processing of personal data

Not all organisations are the same, and where the requirement to perform a DPIA is not readily apparent, careful consideration needs to be taken on the correct course of action. Taking this route will provide the business with a roadmap for compliance, however may delay rollout of a process. Additionally, in the event of a requirement to go through a ‘prior consultation’ process with the DPC the timeline can get pushed out by many months.

The DPIA itself is a structured process where we engage with the parties involved and provide a description of the process, an analysis, a risk assessment and a recommended review process. This will provide a roadmap for compliance.

first can advise on your options, how to minimise your exposure to risk, and provide you with a DPIA to comply with your obligations in this regard.

Data Breaches typically pose a more common risk to the business than any other form of violation under data protection regulation.

Time is of the essence
How an organisation reacts in terms of risk mitigation actions, regulatory reporting and from a PR perspective is likely to define the impact of this event. Good planning for this form of event will serve the organisation well.

If an event gives rise to a risk of unauthorised disclosure, loss, destruction or alteration of personal data, the organisation needs to react. It needs to consider informing the subjects, the DPC and other relevant authorities to minimise the potential damage to the data subject.

The Data Controller is obliged to inform the DPC of a risk to personal data (with some exceptions) within 2 working days of becoming aware, however not necessarily the full detail. Data Subjects are to be informed subject to risk, or instruction from the DPC. This however is a minimum bar and each incident needs to be considered individually.