Kate offers data protection training and data protection compliance audit services which are tailored to the needs of the business. They can be adapted for any type of business. Please contact us to arrange a discussion.

Training

Audit

Kate can provide training in all areas of information law, particularly the GDPR, Data Protection Act and the Privacy and Electronic Communications Regulations.

All manner of training is available and can be tailored to directors, the data protection compliance lead, HR, office staff or whatever is needed.

Training is usually delivered on the premises of the client business.

Kate Grimley Evans

Managing Director

Contact Kate

Examples of the type of training available:

Next steps in GDPR compliance


Format: Presentation followed by discussion

Target audience: board

Content: The GDPR accountability principle and its implications often aren’t well understood. It is often highlighted as an area of weakness in ICO audit reports. This training will explain the principle and what is required in order to comply.

Time allocation: 1.5 to 2 hours

Basic Data Protection


Format: as agreed, either seminar format or lecture format according to numbers of attendees.

Target audience: basic training session suited to general office staff who do not have direct responsibilities for data protection but still have regular access to the personal
data of staff and customers.

Content: Much of the commercially available training gives little insight into how data protection law works or where the main areas of risk are. This session provides a basic
practical knowledge but with enough contextual information that staff gain a proper understanding of what is important. A live training session with a real person is much more likely to be remembered than online training.

Time allocation: half a day.

Assistance for the Data Protection Compliance Lead


Format: One to one training.

Target audience: The person responsible for data protection compliance whether or not they are a statutory DPO.

Content: This will usually include:

  • reviewing what the Compliance Lead has done so far
  • explaining anything the Compliance Lead is not clear about
  • making suggestions for improvements in compliance.

Therefore, this session is not just training but also a means to improve compliance.

Time allocation: flexible but at least half a day recommended.

The GDPR’s ‘accountability principle’ means that regular external and internal auditing of data protection compliance is an expectation.

Audits can be detailed or just  give an overview, as budgets allow and can be carried out for any type of business.

Two levels of service available

The Basic Audit Package


This is designed to be a pragmatic solution for businesses which do not have the available funds for the full audit package or who would like an interim audit. It is designed to be a cost effective way of identifying issues and therefore improving compliance.

This involves:

Around 2-2.5 hours sitting with the Data Protection Compliance lead (or statutory DPO) to look at what is in place already.

Some further review of documentation as agreed.

A detailed report with recommendations which can be presented to the audit and compliance committee or full Board meeting as required.

Note that this does not include a review of IT security which we consider requires particular IT expertise. It will, however, flag IT issues which may be problematic where they are within our knowledge and expertise.

The Full Audit Package


The full audit is always a bespoke offering, following discussion with the Data Protection Compliance lead or Statutory DPO. A business with multiple sites is likely to benefit from us visiting more than one site to see how well the stipulated data protection practices are implemented . A typical full audit would include:

A meeting with the Compliance lead or DPO to discuss the GDPR implementation to date:

A series of interviews with staff, individually or in groups, across as many sites as agreed.

Document review to the level agreed.

A full detailed report with recommendations which can be presented to the audit and compliance committee or full Board meeting as required. Typically, we would attend the meeting to present our findings and answer any questions arising.

Note that this does not include a review of IT security which we consider requires particular IT expertise. It will, however, flag IT issues which may be problematic where they are within our knowledge and expertise.