Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
How-to guides, top tips and other handy resources for getting the most out of your security & compliance
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
In 2018, the world’s trust was shaken. That year, it was revealed that Cambridge Analytica had furtively harvested data left exposed by Facebook. The information of over 87 million individuals was exploited to assemble voter profiles and customise the distribution of political advertisements in the run up to the 2016 US Presidential Election as well as Brexit. Through bombarding individuals with tailored propaganda, particularly targeting those on the fence, the UK-based political consulting firm played a hand in swaying the ballot in their client’s favour.
In other words, having Donald Trump sworn in as the 45th president of the United States and sealing the British ‘Leave EU’ vote. The algorithm and database have since been likened to a psychological warfare tool, threatening our privacy rights as well as jeopardising the foundations of our democracy. With data overtaking oil as the most valuable resource, this scandal further reinforced the need for data protection laws, including the European General Data Protection Regulations (GDPR) introduced only a couple of months later.
Unfortunately, reports suggest that many organisations have yet to achieve compliance with GDPR. Over a year after its implementation in 2018, a study conducted by Egress discovered that more than half of businesses (52%) are not fully compliant with GDPR regulations. British Airways and Marriott International are two of the more high profile cases of organisations who simply had not implemented adequate safeguarding measures, subjecting them to £183 million and £99 million in fines, respectively. GDPR compliance is an involved process that cannot be achieved overnight. Rather, it is an ongoing learning curve that requires time as well as someone qualified and well-versed to oversee its implementation and long-term compliance as part of the business’ operations. That person is a Data Protection Officer (DPO) and, among the many new rules GDPR has implemented, is a further tightening of the requirements and criteria for this key role.
While there are certain scenarios that legally demand the appointment of a DPO, most organisations will likely handle large amounts of personal data and risk jeopardising their reputation among its existing and potential customers if breached. As such, it remains advisable for any and all organisations to appoint a DPO. The only key point to note here is that, regardless if the appointment of a DPO is mandatory or not, all DPOs will need to conform to the criteria set forth by the European Data Protection Board. A DPO has many responsibilities in an organisation including:
The DPO acts as the contact point for both the data subjects and the supervisory authority (in the UK this is the Information Commissioners Office (ICO)). They have to be prepared to answer any questions, offer advice and respond to any data subject access requests. The DPO will be registered with the ICO and their contact details will be made available to data subjects via privacy notices.
The DPO needs to understand the roles and responsibilities within the business, identify training needs and source suitable training solutions. In addition to this, awareness raising through regular updates and notification emails will be the responsibility of the DPO to promote a culture of data protection within the company.
The DPO will need to have a complete and regularly updated record of the processing activities of the business. This will involve working closely with different departments to understand how personal data is processed across the business. This might also involve activities such as data flow mapping.
The DPO will need to ensure that compliance is being maintained by implementing an audit plan to review existing policies and procedures and ensure they are being followed. Equally, as the business changes, policies and procedures will need to be updated to reflect these changes.
The DPO will need to have a good understanding of when a DPIA is mandatory, a good understanding of risk and be able to guide different departments in the business through the DPIA process. The DPO will also be responsible for any prior consultation with the ICO relating to high-risk activities identified by a DPIA that cannot be mitigated.
The DPO has to fully understand the requirements of GDPR in relation to reporting breaches and ensure there is a fully tested process in place to deal with breaches in the business. DPOs will need to ensure breaches are recorded correctly and lessons are learnt to prevent the same thing happening again.
Given that GDPR is a relatively new law, there are still a lot of unknowns regarding its interpretation. The DPO plays a key role in ensuring the business is informed of new guidance from regulatory authorities and also understands how new privacy legislation might affect the business.
As such, the European Data Protection Board stipulates that the DPO must have an in-depth understanding of GDPR as well as information technology and data security. They should also be well-informed about the business and its industry.
When a company appoints a DPO, it needs to meet the requirements of the role as defined in GDPR and by later guidance from the EDPB:
This can sometimes be a difficult skillset to find. Many DPOs come from a legal background as they need to be able to understand and interpret the law, however many may not have a solid understanding of data security and technology.
Alongside the necessary expertise and attributes, one of the key requirements is that the DPO needs to act in an unbiased and independent manner. In other words, any other tasks that an individual performs outside of their DPO role cannot cause a conflict of interest. Frequently, organisations believe that because of the overlapping skills and qualifications, a CISO or IT Manager can also be the DPO.
However, this would lead the CISO/IT Manager monitoring themselves, essentially marking their own homework, which is a conflict of interest. Therefore, the CISO/IT Manager can play a supporting role but should not be the DPO. The same can be said of an individual working in human resources, marketing, customer service etc. If they are a controller or processor of personal data, they cannot be a DPO.
DPOs must directly report to the highest management level and should not receive any instructions about their overall performance of duties. They should have full authority of their own budget, which allows them to:
Furthermore, they should have the mandate to conduct investigations without fear of reprisals. Indeed, no disciplinary action can be enacted against the DPO for the advice they offer. Equally, they are not personally liable if the advice given was not actioned by the organisation.
A complete guide to your best options
The role of the DPO should not be underestimated or taken for granted. With an experienced and knowledgeable DPO, an organisation will fare much better in achieving regulatory compliance. This is both beneficial in avoiding the steep fines that come with non-compliance, as well as maintaining their reputation as a respected and dependable company in the eyes of the public. Unfortunately, selecting a DPO is often not a straightforward undertaking.
For instance, the DPO’s scope of work might be dependent on the organisation they work in. On the one hand, taking someone on part-time may not be sufficient to address all duties. On the other, having someone full-time might leave them without enough to do. In the latter case, difficulties may also arise when seeking other tasks they could undertake which do not lead to a conflict of interest.
Another consideration is whether there is someone within the organisation with the necessary expertise. For smaller organisations, employees tend to wear many hats, making it difficult to single out an independent DPO. For other, perhaps larger organisations, the DPO might come from a legal background however, they might not be as acquainted with information technology and data security. Even if a business were to invest both the money and time to train the individual, this does not guarantee that they will have sufficient experience to successfully manage the challenging ordeal of a data breach. Moreover, if the DPO were to fall sick or go on a holiday, the organisation would also have to be prepared to have someone competent to cover for their absence.
For these reasons, an organisation may wish to outsource the DPO role, which offers a range of advantages.
On the whole, this option is often more cost-effective. By outsourcing, an organisation will have the liberty to tailor their DPO’s working hours according to their needs. They can also save on recruitment costs.
Holiday and sickness cover will not be an issue as an outsourced DPO service will provide cover according to a contracted service level.
They typically possess the relevant qualifications, such as being a Certified Data Protection Officer (C-DPO) and/or GDPR Practitioner.
The fact that they work with several companies promises a wealth of experience and knowledge. They may already have a tried-and-tested response plan, or at the minimum, they will know what data needs to be assembled and how to present this to regulators. This saves organisations from the time-consuming and costly affair of training an employee. It also puts the organisation in a better position to maintain regulatory compliance as well as manage a data breach, should one occur.
The outsourced DPO is completely independent of the company, resulting in improved objective advice.
Additionally, Bulletproof has a unique position of benefitting from wider cybersecurity and legal teams that can support the DPO behind-the-scenes with technical or legal advice and guidance. As such, rather than depending on the experience of one sole individual, Bulletproof has the expertise of a comprehensive team.
There are many factors to consider when looking to appoint a DPO and there is no one size fits all. While the search for the right DPO may at first present itself as a burden, it is worth investing the time – especially as the stakes have never been higher, both on a reputational and financial front. If you would like to discuss your DPO requirements, or find out more about Bulletproof’s Outsourced DPO packages, designed to suit any organisation size, please get in touch by emailing contact@bulletproof.co.uk or give us a call on 01428 532 900.
As Managing Director of Bulletproof, Nicky’s responsible for innovating and evolving Bulletproof’s compliance services. With a varied and interesting career, Nicky shares amazing insight that directly helps businesses overcome their security and compliance challenges.
Stay on top of your legal data protection obligations without losing focus on your business. Get a helping hand from a trusted data protection officer.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.