Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
Data protection officers (DPOs) are often seen as secret weapons in an organisations’ operations arsenal. When done right, they can quickly and effectively make the headache of managing your data protection obligations go away – leaving you free to focus on running your business. But how do you know much DPO time you need? And why? That’s what I’m looking at in this blog.
In my experience, many organisations don’t know that hiring an outsourced DPO is even a possibility. When we’re talking to customers about their cyber and compliance challenges, and they mention GDPR and data protection in general, they’re over the moon to find out about the DPO service. Someone who knows the data protection landscape inside out, who’s seen it all before and already knows the solutions, and who can just come it and start managing it, is a very useful business resource. It’s one of Bulletproof’s most popular services for this reason.
The amount of time needed of course varies on the size of your business, the nature of your operations and how often things change, but in my experience there is a great starting point that seems to be universal for most SMEs: 1 day per month.
If you’re one of those organisations who are really in a bad place, I’d recommend combing DPO services with some GDPR compliance support. Get your GDPR sorted as an initial project, and then let the DPO take care of it all ongoing.
Let’s look more closely at what a DPO does to find out where 1 day per month comes from.
First up is keeping up to date with any new processing that’s taking place. For example, if your company decides to start collecting additional personal data from its customers, this needs to be recorded in the record of processing and a lawful basis needs to be established. Depending on the type of personal data being processed, there may be a need to conduct a data protection impact assessment, which is a risk assessment or a Legitimate interest assessment if Legitimate Interests is the lawful basis chosen. All of these needs to be recorded and documented every time something changes. Equally, if you stop some processing, your ROPA should reflect the change.
It probably won’t surprise you to read that there is a lot of documentation to keep up to date with the GDPR, and all GDPR documentation should be reviewed at least annually. This is something your DPO can take off your plate. A sensible approach is to review at different times in the year so that there isn’t a pile of docs to review all in the same month – so spreading it out on a monthly basis helps to keep the workload to something that’s manageable. Some docs, like your data breach register and privacy notice will change more frequently and so will need attention as the need arises.
The GDPR is law in both the UK and the EU, and legal cases in both territories bring new perspectives on how the law is interpreted. The European Data Protection Board also regularly reviews aspects of the GDPR and provides detailed guidance on how the law should be interpreted. Keeping on top of this should be an activity a DPO is doing monthly to ensure that guidelines and latest advice are being followed – and working out the impacts to your organisation.
Something that surprises a lot of people when I tell them this, is that data breaches actually happen fairly regularly. Thankfully, most of the time they’re fairly minor – think someone emailing the wrong person. But all breaches should be investigated and recorded in the breach register. People who have been responsible for the breach may need further training and reminding of their GDPR responsibilities as well. For more serious breaches, there could be a lot of work involved to fully investigate what happened, identify exactly who has been affected, implement mitigation measures and report the breach to the Supervisory Authority. Plus then follow up with any investigation that may result by the Supervisory Authority. There may also be a need to notify data subjects..
Make sure you’re on top of your GDPR legal requirements with support from Bulletproof’s expert GDPR consultants.
The GDPR gives data subjects a number of rights, and the one that most people know about is the right to access. This is where an individual can ask a company to provide any personal data that they hold about the data subject to them. This is called a data subject access request (DSAR, or sometimes just a SAR), and can be an extremely detailed and time-consuming process. Your company will need to search your documentation, your email communications, and chat (e.g. MS Teams) for anything that may be relevant. Needless to say, your DPO being responsible for overseeing this saves you many hours of work: responding to the data subject, reviewing documentation to be sent, ensuring documentation has been redacted etc – all within the one calendar month deadline. There are of course other data subject rights such as the right to erasure – where again the DPO may be required to be involved in helping the data subject exercise these rights, while also ensuring the company is protected and the correct actions are taken.
This one is a big one, and is something that’s growing quickly in terms of the amount of time DPOs are spending on this. Due diligence is a two-way street. As a company, the DPO should be involved when new suppliers are onboarded to ensure they meet GDPR requirements. This will involve the DPO asking some key questions about the supplier and reviewing any documentation such as privacy notices, data processing agreements, contracts, etc. They may design a customised due diligence questionnaire for this and develop risk scoring to determine how to assess a supplier in a consistent way. In the same way, the DPO of a company will also have to deal with any incoming due dil requests made by their customers. This may involve completing a GDPR questionnaire and providing evidence that the company is compliant.
This is something that easily gets overlooked in a business. And whilst it’s not necessarily something that happens on a monthly basis, training is a requirement. DPOs are responsible for designing and developing the training needed for a company to ensure its staff understand their responsibilities under the GDPR and any other data protection frameworks. This may involve annual training, or even more frequent training or reminders via company communications.
The DPO is the go-to person for any GDPR queries and questions that may arise throughout the business. For example, your marketing team may need to understand whether they can send a marketing email to customers, someone may have received a request from a customer to erase some data, the company may be thinking of buying another company and will need advice on how personal data can be handled in this situation. These are just a few examples - the list is long and a good DPO will make themselves available to support the business in answering these questions to ensure your business stays on the right side of the law.
A good DPO will be working closely with all parts of the business to ensure that data protection by design is being implemented. By this I mean things like data protection considerations are being made during the planning stages of projects, and not bolted on afterwards. This helps to prevent data protection issues and avoids having to awkwardly try to integrate data protection safeguards after the event. The DPO therefore needs to be very plugged into what is happening across all departments and be providing guidance to teams to ensure data protection is suitable considered.
For most SMEs, doing all this to a good standard takes around a day per month. If your business is particularly complex, or interfaces with a lot of personal data, or if you’ve never done anything with data protection, then perhaps a bit more. One of the main benefits of an outsourced services vs an internal hire is that you can flex your DPO time to meet your actual requirements. This means you’re not over-paying, or under-delivering. Enterprises also benefit from this right-sized approach as a means to supplement their internal data protection officers at busy periods.
A good DPO will also work with your CISO (or virtual CISO) to see where efficiencies and synergies can be found. For example, making sure your penetration test includes the systems that interact with personal data to ensure compliance with Article 32 of the GDPR, or combining GDPR training with your annual security training to minimise operational impact.
As our customers like to tell me, getting all this for 1 day a month is a bargain.
As Managing Director of Bulletproof, Nicky’s responsible for innovating and evolving Bulletproof’s compliance services. With a varied and interesting career, Nicky shares amazing insight that directly helps businesses overcome their security and compliance challenges.
Start meeting and maintaining your data protection obligations the smart way with an outsourced DPO from Bulletproof.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.