CHAS chooses Oyster IMS ‘DPO as a Managed Service’ to achieve continued GDPR compliance and operationalise their privacy programme.
Overview
For over 20 years Children’s Hospices Across Scotland – better known as CHAS – has been offering a full family support service for babies, children and young people with life-shortening conditions.
This includes palliative care, family respite and support through its hospices, homecare services and hospital presence.
Challenge
With the well-publicised arrival of the General Data Protection Regulation (GDPR) in May 2018, CHAS decided that their established compliance programme would benefit from external support to review their level of readiness. Oyster IMS were initially engaged by CHAS to deliver a GDPR Risk & Readiness Assessment – a short, sharp engagement to assess the current situation against the detail of the Regulation and produce an action plan for change.
Linda Kilgour, Head of Information Management, at CHAS explains “Whilst internally, we had completed a lot of preparatory work and were fully aware of our data protection obligations as processors of sensitive information, we wanted the reassurance that benchmarking by external Information Management experts against best practice gives. We knew we really needed to focus on the high-risk areas and therefore we engaged Oyster IMS to provide a GDPR Risk & Readiness Assessment. One of the results of this assessment was the creation of our custom GDPR action plan”.
This process quickly established what needed to be done and that further ongoing support would be required.
“Oyster IMS consultants are really approachable, positive in finding compliant compromise solutions to deal with challenges and provide very detailed answers to our privacy queries. The Helpdesk service is great and we have received lots of training and support on OneTrust and prompt advice on all our GDPR requirements.”
LINDA KILGOUR
Head of Information Management, CHAS – Children’s Hospices Across Scotland
Solution
CHAS commissioned Oyster IMS to oversee the delivery of the GDPR and Privacy programme and deliver the required actions identified in the GDPR Risk & Readiness Assessment. Once this initial ‘project’ phase was completed, CHAS had established a trusted partnership with Oyster IMS, who were increasingly being relied upon to offer advice with how to handle the day-to-day challenges arising as a result of the GDPR. Seeing this requirement in a number of clients, Oyster IMS had already developed their ‘DPO as a Managed Service’ (DPOaMS) offering and this was selected by CHAS as the solution to their ongoing requirement. This built on the work already done during the assessment and dove-tailed nicely into an ongoing managed service.
The DPOaMS consists of three core components:
- Access to fully-qualified privacy professionals to provide CHAS with privacy support services (including acting as the DPO) based on the customised assessment already carried out.
- Portal-based DPO helpdesk service with contracted service levels and KPIs to ensure guaranteed responses to all CHAS questions and requirements.
- Hosted instance of the OneTrust Privacy Management Software to support and automate all CHAS requirements for auditing, assessment and reporting services including full training, technical support and system administration.
Results
The support and advice that Oyster IMS has been able to provide has been a critical element of CHAS’s GDPR programme. The helpdesk is the first point of contact with Oyster IMS, referring queries to one of the qualified privacy professionals to offer advice, guidance and/or resolutions to the many challenges that arise in the complex and developing realm of information governance and privacy.
As part of the service, Oyster IMS consultants have been able to provide:
- Advice and guidance to the organisation or DPO, senior managers and/or the privacy team on GDPR compliance
- Support for the building of a privacy aware culture
- Assistance and advice on communications with the ICO
- Review and report on the implementation, use and maintenance of policies, procedures and documentation
- Review of the data protection risk register
- Updates regarding GDPR compliance and approach
- Monitor and review vendors and third parties
- Oversee, assist and advise on SARs (Subject Access Requests)
- Review and provide guidance on DPIAs
- Effectively dealing with ad hoc GDPR or Information Privacy queries as they arise.
A key element of the solution is the privacy management software from OneTrust. Oyster IMS were very early adopters of this tool, recognising that it is the most efficient way to deliver successful outcomes when working through both the initial GDPR action plan and operationalising the whole privacy programme within an organisation.
The Oyster IMS DPOaMS is not just about providing expert GDPR and privacy advice from qualified consultants – it also provides support and guidance on how our clients can leverage OneTrust to its fullest
Click on the link below to find out more about the DPO as a Managed Service solutions.