DPA 2018 Compliance

The United Kingdom (UK) Data Protection Act 2018 establishes a minimum baseline for companies to ensure the protection of the information they process and give legal rights to people who have information stored about them. It sets new standards for protecting general data, per the European Union’s General Data Protection Regulation (GDPR), giving people more control over the use of their data.

The DPA 2018 applies to Personal Data and Sensitive Personal Data (also known as Special Category Data) which establishes guidelines that all UK companies should adopt for processing, storing and transmitting this information.

The regulation establishes objectives for ensuring the data is collected and used fairly, relevant and used only for the purpose it was collected, kept up to date and only for the length of time it was needed for and not transferred outside of the EEA unless the country has a suitable data protection law. Above all, businesses must provide an appropriate level of security to ensure the protection of this data.

Compliance to this legislation, while mandatory, can be difficult however, as the DPA 2018 does not establish any specific controls or even a general level of security for businesses to implement. Your business needs to design a framework conducive to adequately protect the data based on its sensitivity.

Risk Crew’s DPA 2018 Service provides the skills, framework and deliverables to guarantee your business complies with this critical legislation.

DPA 2018 Compliance Services - Features and Components

Risk Crew can help your organisation achieve and maintain DPA 2018 compliance through one or more of our four bespoke, cost-effective services:

DPA Discover Service

In order to help your organisation get started in complying with the DPA 2018 legislation, our Discover service provides the following deliverables:

DPA 2018 Compliance Gap Assessment: Risk Crew will assess your current data protection operations, policies, processes and controls against those recommended by the legislation to identify the current compliance “gap” and then generate a comprehensive report of our findings and recommendations to fill that gap.
Compliance Activities Roadmap: Findings will include a detailed list of actions required for your organisation’s full compliance in a project plan format of your choice. The roadmap will cite specific actions required for compliance, proposed action owners, target completion dates and estimated budgets required.
Stakeholder Workshop: Upon completion, Risk Crew will conduct a half-day workshop for key business stakeholders to ensure their understanding of the remedial actions needed for compliance and the estimated resources and timeline required.

This service results in a solid understanding of the law and what’s required from your business to comply.

DPA Assist Service

Need some more help? Our Assist service offers all deliverables from our Discover service plus the following:

Identify, Locate and Classify Information Assets: Risk Crew will review your business model and interview your key business stakeholders to identify, locate and value the sensitive information assets processed, stored and transmitted by your organisation.
Create Data Classification and Marking Schemes: Once these information assets are identified, we will create suitable classification and marking schemes to ensure appropriate handling and security controls are applied and Data Protection compliance requirements are met.
Data Flow Diagrams: All information assets will then be documented citing their sensitivity level, value, owner and location in information technology systems for reference per the standard. This document provides the inventory for risk management.
Template DPA Documentation for Customisation: Risk Crew will then provide a template of DPA documentation to include draft policies, privacy statements, data processor agreements, privacy by design policy, privacy by default policy, data retention plan, security requirements and controls, breach notification procedures, subject access request and privacy impact assessment forms for the organisation to customise to their business processes and risk objectives.
Mock Audit to Ensure Readiness: When you are ready, Risk Crew will conduct a mock audit to ensure you’ve correctly implemented the recommended remedial actions and that DPA policies and procedures produce evidence applicable to demonstrate compliance to the law.

This service provides the framework essential for compliance and is ideal for organisations that have operational resources but specifically lack in-house data protection expertise. The outcome serves as the foundation for an effective, data protection programme and requires the implementation of remedial actions, policy customisation, control implementation and education of your users for completion of your compliance requirements.

DPA Implement Service

Need the full belt and braces? Our Implement service offers all the deliverables from both our Discover and Assist services outlined above in addition to the following:

Customised Data Protection Documentation for the Business: Risk Crew will create a fit-for-purpose DPA set of documentation for the organisation to implement.
Control recommendations: Risk Crew will also recommend cost-effective security controls where required to ensure DPA security policy implementation and compliance. Control recommendations shall include control objectives, control configuration (if required) control evidence and control testing procedures.
Data Protection Security Awareness Training Programme: Risk Crew will provide computer-based data protection security awareness training to your staff to ensure their understanding cyber security threats to the personal data your business processes along with staff and management roles and responsibilities for compliance to policies and incident reporting in accordance with the legislation. Face-to-face workshops with data protection experts are also available in lieu of or to supplement this training, depending on your preference.
DPA Compliance Workshop with Stakeholders to Ensure Understanding, Roles & Responsibilities: Upon completion of the above, Risk Crew will hold a full-day workshop with your key business stakeholders to ensure their comprehensive understanding of the legislation its goals and objectives, key performance indicators (KPIs), and staff roles, responsibilities and ongoing actions required for compliance.

This comprehensive service provides everything you need for your DPA 2018 compliance short of implementing the policies and the procurement of any controls needed and is designed for organisations looking for a cost-effective, turn-key solution.

This popular service can be augmented with our DPO On-Demand Service to ensure you have access to a dedicated resource with the skills and experience required for continuous compliance.

DPA Maintain Service

If your organisation is currently DPA 2018 compliant then you know that once you get compliant the challenge is to stay compliant.

Risk Crew can help you meet this challenge with a variety of Support Services from delivering on-going requirements such as privacy impact assessments and data processor audits to providing continuous ad-hoc advice and assistance to answer questions, clarify requirements and ensure you stay the course of compliance.

Give us a call and we can discuss and design a solution to meet your specific needs.

Why Choose Risk Crew

Risk Crew are industry leaders in the design, implementation and oversight of data protection programmes.

Our skilled and experienced DPA consultants implement industry-proven information security & risk management methodologies, gap assessments, auditing and data protection & privicy policies to enable you to efficiently meet your DPA 2018 or GDPR compliance requirements.

When you choose Risk Crew, you’re electing to work with qualified experts.

Best Practice

Risk Crew follows best practices including ISO 27001, PCI, Data Protection Act 2018 and the GDPR

Accredited

ISO 27001 and Cyber Essentials Plus certified

Certified GRC Consultants

Consultants hold CISSP, CISA, CRISC and CISM and CSX certifications

Experienced Practitioners

Risk Crew has over
30 years
of practical knowledge

Let Risk Crew create a bespoke solution to ensure your organisation meets DPA 2018 requirements.

Contact Us

Frequently Asked Questions

Is the UK DPA 2018 the same as the EU GDPR?

Almost. But not quite. The DPA 2018 legislation sets out the framework required for data protection in the United Kingdom. The legislation replaces the old Data Protection Act 1998 and became effective on May 25, 2018. It aligns with (and is based upon) the GDPR and adapts its application to the UK. (i.e. providing supplements and exemptions).

What are the penalties for breaking the Data Protection Law?

Under the DPA 2018 legislation the UK Information Commissioner’s Office (ICO) may levy a monetary fine on an organisation in the event of a data breach - if they are the data controller responsible for the data.

Do all organisations need a DPO?

Appointing a DPO is mandatory under three circumstances:

The organisation is a public authority or body.
The organisation's core activities consist of data processing operations that require regular and systematic monitoring of data subjects on a large scale.
The organisation’s core activities consist of large-scale processing of special categories of data (sensitive data such as personal information on health, religion, race or sexual orientation) and/or personal data relating to criminal convictions and offences.

What is a Data Controller?

“A Data Controller” is the person (or organisation) that determines the purposes for which and the way personal data is collected and how it is to be processed.

What is a Data Processor?

A Data Processor is the person (or organisation) that is responsible for processing, storing or transmitting personal data on behalf of a Data Controller.

DPA 2018 Compliance - Consultancy Service