Trusted, flexible data protection services

Comply with Article 35 of the GDPR

Data Protection Impact Assessment (DPIA)

Our DPIA support service will help your business assess planned process changes and comply with current regulations.

• Documenting the planned process
• Identifying risks and recommending mitigations
• Researching the market for additional solutions
• Support with lawful basis and special category conditions for processing (Articles 6 & 9 and Data Protection Act Schedule 1 compliance)
• Guidance and support on transparency
• Dedicated expertise on algorithmic processing, automated decision making, and profiling
• Ethical guidance and research

The Bulletproof team has experience with especially challenging scenarios such as algorithmic processing, facial recognition, and data reuse for research purposes. In addition, we also provide services for other assessments such as Legitimate Interests Assessments (LIAs), Transfer Impact Assessments, and Privacy Impact Assessments.

Comply with GDPR Article 28

Data Protection Contracts and Agreements Services

When you choose our contracts and agreements services, we’ll help your business to navigate the complex requirements and expectations relating to data protection agreements with third parties.

• Mapping the planned data protection relationship
• Support determining and evidencing the relationship (controller-controller, joint control, controller-processor)
• Drafting appropriate clauses for inclusion in commercial contracts
• Drafting Data Sharing Agreements, Data Processing Agreements, and multi-party Data Sharing Frameworks
• Data sharing framework participation support (or setup)
• International transfer requirements (e.g., International Data Transfer Agreement (IDTA), EU SCCs, etc.,)
• Impact Analysis (DPIA, PIA, TRA, etc.,)

Business working relationships often have unique challenges which can make contracts and agreements daunting. Bulletproof consultants work with you to ensure that your documentation is completed on time. In particular, our team has experience with especially challenging scenarios such as transfers involving large quantities of health and financial data, algorithmic processing, and mass marketing.

Comply with Article 30 of the GDPR

Records of Processing Activities (RoPA) Service

RoPAs are foundational aspects of good data protection management, aiming to identify and document all data processing activities in your business.

• Identifying processing activities
• Documenting data flows
• Finding the right lawful basis for processing
• Finding the right lawful conditions for processing under GDPR Article 9 and Data Protection Act 2018 Schedule 1
• Identifying risks and mitigations

Bulletproof take a workshop-based approach to delivering the RoPA which provides a best-value approach to the project delivery. Our consultants who will host workshops with delegates from across your business. They will hold the hands of your employees to gather all of the required information and help you to make informed decisions along the way.

Comply with Chapter V of the GDPR

International Transfers Compliance Service

Get support navigating the complex requirements and expectations relating to cross-border data transfers. Here are a few of the ways our team of experts can help:

• Mapping the planned data protection relationship
• Support determining and evidencing the relationship (controller-controller, joint control, controller-processor)
• Identifying the appropriate transfer compliance mechanism (IDTA, SCC, BCRs, etc.,)
• Drafting appropriate clauses for inclusion in commercial contracts
• Drafting Data Sharing Agreements, Data Processing Agreements, and multi-party Data Sharing Frameworks
• Data sharing framework participation support (or setup)
• Completion of Transfer Impact Assessments (TIAs), Transfer Risk Assessments (TRA), Data Protection Impact Assessment (DPIA) and similar
• Market and solution research

In most cases where data transfers are taking place internationally, compliance mechanisms are a legal necessity – and failing to undertake the required steps can cause significant reputational and financial problems for your business. Good quality assessment and planning work can help to manage and reduce the risks the business is exposed to, provide reassurance to customers, and ensure compliance with the law. In particular, our team has experience with especially challenging scenarios such as transfers involving large quantities of health and financial data, algorithmic processing, and cloud services.

Refresh & progress your data protection compliance

Data Protection Policy Service

Bulletproof will help you achieve and maintain compliance with data protection regulations, including GDPR, through comprehensive policy and procedure support. Full, tailored GDPR-related policies and procedures:

• Risk framework/risk assessments
• Processes for completing Data Protection Impact Assessments (DPIAs) and Legitimate Interests Assessments (LIAs)
• Data protection incident response (data breach) procedures
• Retention and disposal policies and schedules
• Subject Rights Response procedures
• Data Transfer Policies
• Data Protection Act Schedule 1 Appropriate Policy Documents (APDs)

Many policies and procedures are either directly or indirectly required by law. For instance, most UK employers are obliged to hold an APD for handling information such as employee sickness.

Comply with articles 13 & 14 of the GDPR

Privacy Notice Service

Establish and refresh your data protection transparency materials. Build trust, demonstrate compliance with the first data protection principle, and answer questions before you get them.

• Full, tailored privacy notices
• Cookies and digital tracking notices
• Just-in-time privacy notices
• Support with audience-specific notices such as easy-read notices
• Data Protection Act Schedule 1 Appropriate Policy Documents (APDs)
• Model notices for third-party issue

Meet GDPR requirements with UK GDPR Representation

UK Representation

Satisfy article 27 with our experienced data protection consultants. Bulletproof will act as your official UK GDPR Representative.

• Located in the UK, our team of GDPR experts can provide comprehensive representation services
• Our team will act as a point of contact for both your UK data subjects and the UK data protection authorities.
• We will keep and maintain your Records of Processing Activities (ROPA) in accordance with Article 30.
• You will be allocated a dedicated consultant who will regularly check-in to ensure you’re maintaining compliance.

Independent assurance for your DSPT submission

NHS DSP Toolkit Submission

Gain independent assurance for your DSP Toolkit submission with our independent NHS DSP Toolkit assessment service. Each year, many organisations who need to make DSP Toolkit submissions are also required to obtain an independent assessment of their self-assessment and provide the outcome alongside their published submission. Our service includes:

• Risk-based assessment of your questionnaire in line with National Data Guardian standards
• Evidence checks such as training records, risk reviews, continuity exercises etc.,
• Verification of security certification schemes such as Cyber Essentials, Cyber Essentials Plus, and ISO 27001
• Verification of data protection documentation and standards such as Information Asset Register (IAR), Records of Processing Activities (RoPA), Retention and Disposal, Data Subject Rights, and more
• Assessment of the suitability of security standards
• An assessment report and rating broken down by area following the national guidelines which you can include with your annual submission