Data Protection Officer (DPO) as a Service
GDPR requires certain organisations to appoint a Data Protection Officer (DPO) to help ensure regulatory compliance.
GDPR allows outsourcing of this role, and using our experienced specialists is an effective and efficient way to fulfil the requirements of compliance while staying focused on your core business activities.
- Advice & guidance on GDPR and all GDPR matters
- Deployment/improvement of GDPR policies, processes & practices
- Compliance monitoring & reporting
- Data Protection Privacy Impact Assessments
- Staff awareness & training
- Contact point for regulatory authorities and data subjects
- Broad Infosec advice including ISO27001 and ISO28000
- Practical solution to achieve & maintain GDPR compliance
- Cost-effective compared to an internal appointment
- Access to specialist expertise and best practice
- No conflict of interest with other duties in your organisation
- Service can be tailored to meet your specific requirements
- Certificated validation including ISO27001 and ISO28000
£550 to £1200 per person per day
- Education pricing available
- Pricing document
- Skills Framework for the Information Age rate card
- Service definition document
- Terms and conditions
- Modern Slavery statement
|Software add-on or extension||No|
|Cloud deployment model||Private cloud|
|Service constraints||None, this is a highly tailored and configurable service.|
|Email or online ticketing support||Email or online ticketing|
|Support response times||
9 x 5 support is included as standard.
Standard support is via email and phone and responses are within 1 hour.
Extended support including 24/7 and 7 day support is available at extra cost.
|User can manage status and priority of support tickets||Yes|
|Online ticketing support accessibility||None or don’t know|
|Phone support availability||9 to 5 (UK time), Monday to Friday|
|Web chat support||No|
|Onsite support||Yes, at extra cost|
Standard support is included with each engagement.
Each project is led by a Prince2 qualified practitioner who also oversees support.
Support outside 9 - 5 x 5 days is available at extra cost.
Please contact us for details.
|Support available to third parties||Yes|
Onboarding and offboarding
Once the scope is confirmed the project commences.
Training is a key element and delivered through a variety of mediums including on-line and downloadable pdf manuals.
|End-of-contract data extraction||As part of the service, users are able to retain access to the CyberWhite portal for 90 days post contract end and may download all documentation as pdf's.|
|End-of-contract process||The contract ends once the project has been successfully completed and all agreed deliverables have been met.|
Using the service
|Web browser interface||Yes|
|Application to install||No|
|Designed for use on mobile devices||Yes|
|Differences between the mobile and desktop service||None|
|Description of customisation||Each engagement is unique and tailored according to the initial, agreed scope.|
|Independence of resources||Each project is allocated a Prince2 project manager who ensures that there is no degradation of agreed service levels.|
|Service usage metrics||Yes|
A Prince2 projct plan is agreed at the start of the project and milestones confirmed.
These are closely monitored and communicated back on a monthly basis.
|Supplier type||Not a reseller|
|Staff security clearance||Conforms to BS7858:2012|
|Government security clearance||Up to Security Clearance (SC)|
|Knowledge of data storage and processing locations||Yes|
|Data storage and processing locations||
|User control over data storage and processing locations||Yes|
|Datacentre security standards||Managed by a third party|
|Penetration testing frequency||At least every 6 months|
|Penetration testing approach||In-house|
|Protecting data at rest||
|Data sanitisation process||No|
|Equipment disposal approach||A third-party destruction service|
Data importing and exporting
|Data export approach||Download from the CyberWhite portal|
|Data export formats||Other|
|Other data export formats|
|Data import formats||Other|
|Other data import formats||
|Data protection between buyer and supplier networks||
|Data protection within supplier network||
|Other protection within supplier network||Role based access is assigned and supported with 2FA|
Availability and resilience
|Guaranteed availability||Each SLA is unique and agreed at the commencement of the project.|
|Approach to resilience||Available on request|
|Outage reporting||Any outages will be reported by email and confirmed by telephone|
Identity and authentication
|User authentication needed||Yes|
|Access restrictions in management interfaces and support channels||Role based authentication is used to restrict access and supported by a range of tools and monitoring technologies.|
|Access restriction testing frequency||At least every 6 months|
|Management access authentication||
Audit information for users
|Access to user activity audit information||Users receive audit information on a regular basis|
|How long user audit data is stored for||User-defined|
|Access to supplier activity audit information||Users receive audit information on a regular basis|
|How long supplier audit data is stored for||User-defined|
|How long system logs are stored for||User-defined|
Standards and certifications
|ISO/IEC 27001 certification||No|
|ISO 28000:2007 certification||No|
|CSA STAR certification||No|
|Other security certifications||Yes|
|Any other security certifications||
|Named board-level person responsible for service security||Yes|
|Security governance certified||No|
|Security governance approach||Currently working towards ISO27001:2013 with an expected certification of late 2019.|
|Information security policies and processes||Everything folIows ISO 27001:2013|
|Configuration and change management standard||Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402|
|Configuration and change management approach||
The service components of our services are tracked through their lifetime in our asset register.
All proposed changes are assessed for potential security impact
|Vulnerability management type||Undisclosed|
|Vulnerability management approach||
Potential threats are assessed in real time and we work to a zero day tolerance.
Full details will be provided on request and subject to a signed NDA.
|Protective monitoring type||Undisclosed|
|Protective monitoring approach||
CyberWhite use a range of technologies and processes for montoring.
Details may be provided upon receipt of a signed NDA.
|Incident management type||Undisclosed|
|Incident management approach||CyberWhite use a range of technologies and processes for montoring. Details may be provided upon receipt of a signed NDA.|
|Approach to secure software development best practice||Supplier-defined process|
Public sector networks
|Connection to public sector networks||No|
|Price||£550 to £1200 per person per day|
|Discount for educational organisations||Yes|
|Free trial available||No|