Jan20052 Distinguished Data Protection Services Founded in 2017 by Rob Masson, The DPO Centre is the UK’s leading independent data protection resource centre. With a large team of fully employed data protection officers, or DPOs, located across the country, the firm offers services such as outsourcing those DPOs, GDPR representation, and a full range of consultancy services to clients across a wide range of sectors. In the years since the company’s inception, it has worked with more than three hundred clients ranging from small primary schools, right through to large multinational organisations and leading charities, such as the NSPCC. To begin, Rob Masson, provided us with some insight into how the business has developed, what the future of data protection is, and why The DPO Centre was awarded the title of the UK’s Most Trusted Data Protection Consultancy. CV: Firstly, thank you for speaking with Corporate Vision about The DPO Centre’s recent success. When and why did you set up The DPO Centre? RM : I first considered setting up The DPO Centre during 2016, well before the GDPR actually came into force. I’d set up and run several technology and eCommerce companies previously, so was acutely aware of the increasing focus on privacy and how important it is to protect people’s personal information. At the time, everyone was beginning to talk about the GDPR and how it was going to impact their organisation, but few organisations had a clear idea of exactly what it would mean. It was clear that businesses had real needs both in understanding how the new legislation affected them, and how the much wider mandated requirement to appoint a DPO was going to be resourced. CV: What services does The DPO Centre offer to its clients? RM : Broadly speaking, our services falls into three main areas – Providing ongoing outsourced data protection officers ‘as-a-service’, Article 27 GDPR representation for organisations that don’t have an EU presence, and then project-based consultancy work and interim support. Firstly, providing outsourced DPOs is at the core of our business. We employ what is probably the UK’s largest independent team of experienced DPOs. They work on a client’s site as an integral member of their team for anything from 1 to 8 days each month, depending on the client’s need. They fulfil all the statutory requirements of the GDPR, by representing the needs of their data subjects and providing ongoing expert advice, support, and training as required. Each new client undergoes a structured onboarding process, which involves reviewing their current data flows, policies, processes, and procedures for data protection, before creating a roadmap for any necessary changes. Under the GDPR, organisations based outside of the UK or the EU who are processing the personal data of UK or EU residents must nominate a representative based within the relevant territory. The representative acts as the main point of contact for data subjects and the regulatory authorities within their member state. The DPO Centre provides the services of an EU representative for many organisations, including SaaS platform providers, app and game developers, market research organisations, and many therapeutics and life science organisations conducting clinical trials. After the Brexit transition period has expired, the expectation currently is that separate representation will be required within the UK and the EU, so our UK representative services are delivered through our London office, and our EU services through our Dublin office. Finally, consultancy projects vary widely, but generally we help organisations to understand their data and the steps they need to take to comply. Invariably, this will involve mapping the company’s personal data flows, compiling an information asset register, understanding how, why, and where the data is processed, and the justification (lawful basis) for the processing. We can then assess the impact of the legislation by identifying gaps between existing practices and full compliance, and defining what needs to be done to become compliant. Other consultancy services include policy drafting and reviews, data protection training for staff, preparing organisations for data protection audits, due diligence for M&A work and other one-off projects to evaluate new processes and designs. CV: Who does The DPO Centre primarily work with? RM : We’ve worked with well over 300 clients over the past two years from a wide variety of sectors. These include organisations processing high volumes of data such as software and technology and finance and insurance companies, large retailers, eCommerce, and media businesses. We’ve developed a real expertise in the medical and healthcare sector where there is extensive additional legislation and large quantities of sensitive personal data that often needs to be shared between different agencies. Because all public bodies are required to appoint a DPO, we work a lot in with schools and colleges, and we also work with local and national charities and particularly those protecting or working with vulnerable people. CV: Why do organisations choose to outsource their data protection? RM : Organisations outsource for a variety of reasons. First and foremost, outsourcing takes the headache out of recruitment. Data protection specialists with industry knowledge are hard to find and retain, and often the role doesn’t need to be full or even part time, so outsourcing is very cost effective. It also means the DPO is independent from the client’s team and therefore, as required by the regulation, not conflicted with other internal roles they may perform. Our processes and procedures are continuously updated as the industry changes and our clients benefit from the knowledge of our entire team rather than just that of a single individual. Should a DPO be unavailable, we also provide back up support both from a secondary DPO and our email and telephone advice line. But, by working on site at our client’s offices as an integral member of their team, the DPO becomes immersed in the organisation’s culture so can take a proactive, rather than reactive approach. The DPO’s activities are managed by our With the increasing shift towards an ever more digital society and the rapid recognition of data as a truly valuable resource, the need for data protection has never been more prevalent. Corporate Vision recognises both this fact, and the work of The DPO Centre as the Most Trusted Data Protection Consultancy, 2020 – UK. We had the privilege of speaking with the firm’s founder, Rob Masson, to learn more about this increasingly vital work.