Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
As legislation goes, the GDPR could be unique in its insistence that a new professional role, the Data Protection Officer (DPO), be created to ensure its mandates are properly met. But getting a DPO in place is no simple recruitment exercise, and that’s especially true for schools.
For starters, people with the requisite mix of abilities and experience to do the job in educational environments are hard to find. However, schools don’t necessarily have to recruit externally, as the GDPR guidelines allow for other options. Governors and members of school staff can be made DPOs – although given the baseline career skills and background required, this is probably not feasible.
In the UK, schools can also request their Education Authority manage the DPO requirement on their behalf. However, a more robust option is to outsource the job to third-party data protection officers for schools, since the data protection in the education sector can task schools more than commercial businesses.
Schools naturally handle a lot of sensitive information about children, which means special provisions in the Data Protection Act 2018 (the UK’s implementation of the GDPR) must be observed. Some data may be accessed by students themselves, which introduces extra risk compared to managing data security among an enterprise workforce. Part of the school DPO’s role is to maintain cyber awareness among younger end-users who may not be as receptive to cyber dos and don’ts as salaried employees.
School DPOs are also concerned about risk exposure and educational establishments of all kinds are targeted increasingly by malicious cyber threats. Cyber criminals know that the digitalisation of learning processes creates opportunities for new forms of attack (such as phishing), aimed directly at students and teaching staff.
Funding pressures are always an acute issue for many educational establishments, and hiring a DPO only compounds matters. Schools are faced with having to recruit a new staff member whose exceptional skills and abilities place a premium on the salaries DPO candidates can demand. According to Glassdoor, these range from £32k per-annum to £79k per-annum, with £50k being the national average. Add to this any additional budget to pay for third-party cover when the DPO is on leave, off sick or otherwise indisposed. The sum total can be a significant expense for resource-strapped schools. The thorny issue of cost is one of the primary reasons that educational establishments are increasingly outsourcing the DPO role for an affordable monthly cost.
Another key factor in the trend to outsourcing is finding candidates with the relevant educational experience. DPOs don’t technically require professional qualifications to undertake the role – the GDPR stipulates only that DPOs should have ‘expert knowledge’ of data protection law and practices, plus a good understanding of IT infrastructure and organisational models. However, to be an effective DPO for a school you’d need to add experience of the education sector into the mix. And that makes the recruiting challenge even harder.
All this means it’s crucial that a school DPO’s purpose is clearly understood by all levels of school management, including students, right from the outset. It’s important to avoid any perception of the DPO as a serial box-ticker who works outside of day-to-day educational operations.
Probably the first and most obvious benefit of having a DPO onboard is that they will help prevent a school’s data protection processes and procedures from being found wanting by the regulator, resulting in a fine. The Information Commissioner’s Office (ICO) has taken a fairly lenient approach toward the education sector so far in terms of actual penalties. However, since 2018 the ICO has instigated a series of audits of selected Multi-Academy Trusts (MATs) and their education establishments.
The ICO’s findings suggest a significant proportion of schools are still on a learning curve when it comes to getting their head (and their processes) around GDPR requirements. Audit reports made public by the ICO indicate that most schools did not achieve satisfactory levels of data protection practice. The regulator conducted GDPR compliancy audits of hundreds of schools across 12 MATs and subsequently published detailed reports for 10 of them, scoping some 347 academies, primary, and secondary schools assessed across the criteria of Data Sharing, Governance & Accountability, Training & Awareness, and Requests for Personal Data Portability.
Although some of the ICO audit results likely embarrassed the MATs named, and potentially harmed their standing in the education market, the audits do highlight an additional benefit an effective DPO can bring: avoidance of reputational damage that can attract criticism from parents and educational authorities – and impair a school’s ability to attract quality teaching staff.
The savvy DPO can also add value when it comes to advising when not to take action. For example, of 1,385 school data security incident referrals handled by the ICO in the year after the GDPR went live, just 208 (15%) resulted in orders for action to be taken. This was attributed to schools being overly concerned to make sure they were covered, but the figure also suggests a lack of awareness of the circumstances in which incidents must be reported.
“It does reflect a misunderstanding of what the GDPR actually means for schools,” said a consultant quoted in Schools Week. “It may be that the schools that are self-reporting just don’t understand what they’re doing.”
A DPO who knows their GDPR obligations thoroughly can save their school time and resources by knowing when a data compromise incident has to be reported – and when it does not.
The scope of data governance has widened markedly over the last two years, and its work is added to by the changes to data protection compliance caused as the UK leaves the EU. The Government plans changes to the GDPR and Data Protection Act 2018 to retain EU GDPR provision in UK law (until then the EU Withdrawal Act retains the GDPR in UK regulation).
It’s unlikely that your typical DPO’s work-a-day focus will be just on the GDPR and the Data Protection Act. There are multiple other regulatory compliances schools have to meet, such as the Freedom of Information Act 2000 and the Privacy and Electronic Communications Regulations (PECR).
Schools must also increasingly ensure that third-party suppliers that process their data are also properly GDPR-compliant. This has assumed greater criticality in the context of the GDPR as digital transformation enters the education sector and more schools rely on cloud services providers to host their applications and data. As these compliances affect more aspects of day-to-day educational activities, the DPO becomes the regulatory go-to person for the schools and trusts.
Schools face added complexity due to the special provisions for the protection of data that pertains to children. Schools process and store large amounts of data that concerns personal information: students’ academic records, medical profiles, contact details, ethnicity, biometrics, still and video images, and so on. Schools also hold data on teaching and administrative staff, governor activity, external volunteer activity and suppliers.
Such data was already governed by the old Data Protection Act 1998. What changed in the new Data Protection Act 2018 (the UK’s implementation of the GDPR) was increased security provisions, enhanced rights for individuals, as well as the requirement for schools to also document why and how they process personal data.
For example, children have the right to request a copy of their personal data under the GDPR-empowered Data Protection Act 2018, and have the right to request that a school no longer processes their data. The GDPR explicitly requires that children’s data is protected and, additionally, it stipulates that privacy notices must be articulated in ways that are clear and accessible to a child or worded specially for them.
Hiring a DPO is not quite comparable with the appointment of other data-management related roles within an organisation, such as a Chief Data Officer (CDO) or Chief Information Officer (CIO). To start with, the articles of the GDPR say that DPOs are not supposed to fit into conventional managerial hierarchies.
Although they’ll work closely with the IT and legal functions, they’re not seconded to those functions – they must report directly to senior management – or board of governors, in the case of schools. This is to ensure a DPO is free to work without any conflicts of interest. The significant cost and challenge of recruiting a data protection expert with education sector experience are the primary drivers for schools outsourcing this role, as it delivers a better service at a manageable cost.
We chose Bulletproof as our school DPO as they had impressive knowledge of the data privacy requirements within our industry. Our consultant is always on-hand to assist with reviewing and updating our internal procedures, as well as providing quick responses to our data protection queries. Bulletproof is professional and friendly – a great extension to our team.
Bryon White Head of Legal Services, London School of Science and Technology
Luke is Bulletproof’s Head of Compliance, and can often be found coming up with new, innovative, and entertaining ways to evolve our compliance services portfolio. His passion for compliance and business insights always comes through in his articles.
Bulletproof’s experienced DPOs give your school peace of mind that all data protection needs are being taken care of, for an affordable monthly cost.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.