DPOaaS
Case Study: Financial Services Firm

An international asset management firm based in Dublin which offers a number of retail and real estate products recently engaged with us for an interim DPO service. They required an interim service to lay the groundwork for an internal hire who was training up for a full time position.

Senior management was very familiar with GDPR requirements and had addressed many of the objectives of the regulations driven largely by efforts from their compliance department and IT security function. However they were concerned about the increasing workload driven by business expansion and the lack of an independent resource to formally handle DPC communications, privacy training, DPIA’s, records and day to day queries.
They were also keen to implement privacy controls in line with a best practice privacy framework like ISO:PIMS or NIST to reduce the risk profile in their organisation which they hoped could be measurable through S.M.A.R.T objectives and KPI’s.

After an initial round of stakeholder introductions and analysis of network & risk documentation, agreements, policies, training and other areas we developed and agreed on a 90 day action plan with a list of risk prioritised tasks and assignments. Of the 35+ tasks identified, we identified 8 high priority tasks which were effected 1st in the plan which included;

1. Registration as a Data Protection Officer with the Data Protection Commission
2. Implementing monthly KPI reports to track DSAR’s, Incidents, privacy risks, project reviews etc
3. Integrating data privacy training materials into LMS and ensuring all employees were scheduled to take it
4. A PIMS certification readiness review would be performed
5. Privacy vulnerabilities which were identified in Azure security center and Qualys were remediated timely
6. A job spec including roles and responsibilities and reporting lines had been established for a full time DPO
7. Data mapping documentation was up to date for the firms data repositories and it’s processors
8. Azure containers, network shares and guest Wi-Fi was appropriately secure to data leakage and verified through scanning

Notable other risks included gaps in policy coverage (e.g. employee remote monitoring, personal data breach reporting), legacy contracts with no DP provisions, outdated encryption methods and software build processes which were bypassing impact assessment reviews.

All these items were completed within successfully within a 5 month period while the other medium and low priority tasks were addressed as well throughout the interim DPO engagement period. The firm has indicated that it is highly likely we will be engaged for further privacy work on an ongoing basis to support for the fulltime DPO who was recently hired. The compliance director who was our POC on the engagment stated

“We were very happy with the work Paul did for us in his role as Data Protection Officer this year. He created a very detailed plan to help us meet GDPR requirements and executed it with professionalism and knowledge which helped us achieve privacy certification and measure our ongoing KPI’s.”