Kate offers data protection training and data protection compliance audit services which are tailored to the needs of the charity. They can be adapted for any type of charity (or not-for-profit organisation).

Please contact us to arrange a discussion.

Training

Audit

Kate can provide training in all areas of information law, particularly the GDPR, Data Protection Act and the Privacy and Electronic Communications Regulations. She is also familiar with the Fundraising Code issued by the Fundraising Regulator.

All manner of training is available and can be tailored to trustees the data protection compliance lead, HR, office staff, volunteers or whatever is needed.

Training is usually delivered on the client’s premises.

Kate Grimley Evans

Managing Director

Contact Kate

Examples of the type of training available:

Next steps in GDPR compliance


Format: Presentation followed by discussion

Target audience: Board

Content: The GDPR accountability principle and its implications often aren’t well understood.  It is often highlighted as an area of weakness in ICO audit reports. This training will explain the principle and what is required in order to comply.

Time allocation: 1.5 to 2 hours

Basic Data Protection training


Format: As agreed, either seminar format or lecture format according to numbers of attendees.

Target audience: basic training session suited to general office staff who do not have direct responsibilities for data protection but still have regular access to the personal data of staff, donors and beneficiaries.

Content: Much of the commercially available training gives little insight into how data protection law works or where the main areas of risk are and may not be tailored to the charity context. This session provides a basic practical knowledge but with enough contextual information that staff gain a proper understanding of what is important.

A live training session with a real person is much more likely to be remembered than online training.

Time allocation: half a day.

Assistance for the Data Protection Lead


Format: One to one training.

Target audience: The person responsible for data protection compliance whether or not they are a statutory DPO.

Content: This will usually include:

  • reviewing what the Compliance Lead has done so far
  • explaining anything the Compliance Lead is not clear about
  • making suggestions for improvements in compliance.

Therefore, this session is not just training but also a means to improve compliance.

Time allocation: flexible but at least half a day recommended.

The GDPR’s ‘accountability principle’ means that regular external and internal auditing of data protection compliance is an expectation.

Audits can be detailed or just  give an overview, as budgets allow and can be carried out for any type of charity.

Two levels of service available

The Basic Audit Package


This is designed to be a pragmatic solution for charities which do not have the available funds for the full audit package or who would like an interim audit. It is designed to be a cost effective way of identifying issues and therefore improving compliance.

This involves:

Around 2-2.5 hours sitting with the Data Protection Compliance lead (or statutory DPO) to look at what is in place already.

Some further review of documentation as agreed.

A detailed report with recommendations which can be presented to the audit and compliance committee or full Board meeting as required.

Note that this does not include a review of IT security which we consider requires particular IT expertise. It will, however, flag IT issues which may be problematic where they are within our knowledge and expertise.

The Full Audit Package


The full audit is always a bespoke offering, following discussion with the Data Protection Compliance lead or Statutory DPO. Charities with multiple sites are likely to benefit from us visiting more than one site to see how well the stipulated data protection practices are implemented . A typical full audit would include:

A meeting with the Compliance lead or DPO to discuss the GDPR implementation to date:

A series of interviews with staff or volunteers, individually or in groups, across as many sites as agreed.

Document review to the level agreed.

A full detailed report with recommendations which can be presented to the audit and compliance committee or full Board meeting as required. Typically, we would attend the meeting to present our findings and answer any questions arising.

Note that this does not include a review of IT security which we consider requires particular IT expertise. It will, however, flag IT issues which may be problematic where they are within our knowledge and expertise.