window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6'); window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-YFZ1F7T6M6');
DataHub Consulting, Experts in Analytics, Business Intelligence, and Compliance 1200 627

Written by

Date

9 August 2024

Category

Datahub Consulting have a Risk and Compliance team where we work with clients with their data protection and cyber security. When we start a conversion with a new client one of the questions we usually get asked is, “Why is Datahub’s Data Protection Services Different?”. This is a deep question that we can talk a lot about. In answering this question with clients I provide an answer based on our strengths and success stories. So, in this article I want to explain why Datahub Consulting have a comprehensive and robust risk and compliance offering with a growing list of customers year on year.

Image showing laptop with the term GDPR Data Protection

From when Datahub Consulting was incorporated we wanted to focus on our strengths and not to sell services that we would not consider ourselves as experts. As data consultants the team had expertise in data compliance and were practitioners in the EU GDPR law.

Even myself as the CEO, I’ve previously worked with large airlines and airports in the UK, and middle east to advise on data protection and cyber security.

Over the years we have built on the knowledge and are now experts in multiple data protection laws providing these services to organisations in UK, Europe, Middle East, Canada and Africa.

Before we get started into Datahub’s Risk & Compliance strengths lets have a recap on why data protection is essential in todays world. Looking at some cybersecurity stats regarding data breaches that involve personal information of data subjects. Someone’s personal information is a high commodity for cybercrime as there is large amount of money to be gained from selling personal information.

  • Ransomware is the biggest cybersecurity threat leading to data breaches of personal information.
  • Over 80% of ransomware attacks target companies data backup systems.
  • Not all companies that pay the ransom get the personal information back.
  • Digital fraud has been increasing year on year by over 18%.
    Examples of Digital fraud is where credit cards are applied for, or goods are purchased online using credit facilities using false personal information. Through data leaks and cyber attacks the personal information to commit digital fraud is easily obtained.

From my network of compliance professional we see that compliance companies fall into two categories. They are either a legal based organisation or are from a risk analysis background. Let’s talk about these:

Data protection is based around a legal framework enacted into law by a country or group of countries, like the EU GDPR. For this reason, someone with a legal background is in a good place to advise on the legal text of the data protection articles. The articles are the legal text that make up the directive.

Data protection is based on risk analysis, weighing up the risk to the personal information of the data subject, and implementing controls to mitigate the risk. Data protection is therefor based on risk analysis, controls, and a continual improvement process.

At Datahub we also think that technical expertise is key to being a successful data protection consultancy. Fundamentally, data protection is to safeguard the data of the data subjects. To safeguard the data organisations are required to implement appropriate technical and organisational measures to ensure a level of security for the data. This will involve IT security, IT infrastructure, Cybersecurity etc. Some examples of these are:

  • Firewall Setting
    Firewall settings are important to data protection to prevent unauthorised access
  • Backup and Disaster Recovery Strategies.
    To prevent loss of data then backups will be taken that will include personal information. What are the strategies for backup files and disaster recovery?
  • Encryption and Pseudonymisation.
    These security measures are specifically mentioned in the articles of the EU GDPR. As technical experts Datahub understand and can advise on best practice for these.
  • Masking
    Hiding sensitive information.
  • Secure Destruction
    There will be times when data containing personal information will need to be securely destroyed. This could be through a subject access request, or to comply with retention policies. The retention period comes to an end and the data needs to be securely destroyed. Doing this securely is not just by hitting the delete button.
  • File and System Access Control.
    So that files containing personal information are only available to the minimum amount of staff then security needs to be put in place. For example who will have read access, and who will have read / write access. Also will the file be protected with active directory policies, and will there be multi-factor authentication?
    Then once a member of staff leaves the organisation for whatever reason, is there systematic measures in place to revoke access. To have a person that has left the organisation with access would be considered a potential data breach (unauthorised access).
  • Transfer of Data
    There are times when data containing personal information is transferred to a processor or sub-processor. What are the security measures in place to ensure that the data is safe. For example, emails can be intercepted and attachments can be copied. If using email are the emails automatically encrypted, would FTP or SFTP be an option, or would SOC 2 be better. To advise on this whole topic you would need to know the specifics on a case by case basis and have the knowledge of data transfer methods.
  • Cybersecurity
    Cybersecurity is a topic in it’s self and to big discuss in detail in this article. But it’s documented that ransomware is the biggest threat regarding data protection. Cyber criminals get unauthorised access to a company systems and obtain a copy of personal information of customers. Then use this information to either demand a ransom from the organisation, or if that does not work, sell on the personal information on the dark web. Ways to prevent this form of unauthorised access is:
    • Phishing
      Phishing is the most common form of cybercrime, with an estimated 3 billion malicious emails sent every day in 2024.
    • Endpoint security
      Endpoint security is the process of protecting devices from the threat of malware and cyberattacks. These devices include servers, workstations, laptops, tablets etc. With more and more business users working from home using laptops and mobile technology then endpoint security gets more and more important.
    • Network security
      Monitoring for abnormal activity on networks to identify potential data breaches and unauthorised access.
  • Cloud Services
    More and more cloud services are being used. Considerations would be, Is the data centre in the same region as the organisation. Is it a fully managed cloud services where the hosting and security is managed etc.

Above are some examples of where Datahub Consulting can advise and support IT Security, and Cybersecurity teams to ensure the security of personal information. Also when conducting a data protection audit we wouldn’t rely on the IT department telling us that adequate IT security is in place for a particular process. We would want to know the technical specifics of what is in place and then we would assess as part of the audit if this is adequate.

At the time of writing this article the EU NIS2 directive is being enacted. By October 2024 organisations that operate in the EU regardless of head office location will need to adhere to the NIS 2 framework that will increase the level of IT security measures within the EU.
For more information on NIS 2 directive have a look at the article on our website: What You Need to Know About EU NIS 2 Directive | DataHub Consulting

Datahub Consulting are expertise includes:

  • Data Compliance (Including legal services and risk management),
  • Cyber Security,
  • Data engineering,
  • Data & Digital Transformation,
  • Data Science (predictive analytics),
  • Database design, security and implementation.

For this reason, we can offer data protection experts with knowledge of global data protection laws, coupled with our technical expertise in data engineering and cyber security. Together our client benefit from an all-round compliance service that can also support technical teams like IT support, IT infrastructure, and IT Security.

With the EU GDPR Article 27 (Representatives of controllers or processors not established in the Union), Datahub can provide representation to client who offer goods or services to EU or UK data subjects. With our UK office in London and European office in Madrid we can offer EU / UK representation to any of our clients.

The EU representative acts as an additional contact person for supervisory authorities and data subjects within the EU. Providing the client with compliance to Article 27 of the EU GDPR.

One example where we have helped a client improve their data protection process is with subject access requests.

With GDPR an organization has 1 month to action a request from a data subject. The client had a process in place that worked but was very manual intensive and not very efficient. With their request process they would manually check for a new request each day and information was manually entered into an excel log. There was additional security required for the excel log so that only the compliance team could open and change information in the request log.

This process was time consuming and manual error could occur. Also, if the request was not updated straight away lead to inaccurate information.

Using our technical expertise and the use of data transformation we suggested a solution that would automate the process. The solution did not cost the organization any additional money as the solution utilized applications in their current business like Office 365 licence etc.

Collect of the Request

For the solution we initially worked with the website team to create a secure web page that could collect all the information for the subject access request. There was a secure portal where validation documents could be securely uploaded. All the above request information was stored in a secure database.

Bespoke Application

We then created an application using the Microsoft Power Platform that allowed the compliance team to update the request with comments and statuses etc.

Automated Alerts

We also included automated alerts for the compliance team. These alerts notified the team when a new request had been raised. Also, as there is a 1-month timeframe to action any request, if the request got to the last 7 days and not yet had a completed status, then a alert was automatically sent to the team notifying them that there was less than 7 days to complete the request. This ensured that the requests were all completed as per the timeframe of the data protection law.

Log File

The automation also created a log file associated with the request, so for audit purposes the organization could demonstrate that all requests were action timely and accurately.

This made the Subject Access Request process more efficient, reduced manual effort and manual errors. Also ensured accurate logging of requests from an audit perspective. There was a small initial cost involve developing the system but there were no additional running costs from an application or licences perspective.

Taking the small implementation cost into consideration with the reduced manual effort by staff, the ROI (Return on Investment) meant that the client benefited financially within the first year.

Datahub Consulting are experts in a number of data protection laws from around the world. If your organisation processes personal information of data subject in many countries then you may need to comply with multiple data protection laws. Some laws (like GDPR) have extra territorial scope and this may affect the number of laws that your organisation needs to comply with. As experts we can advise on all aspects of data protection accordingly. We have worked with client to deliver successful projects in the data protection. See list below.

Europe

  • General Data Protection Regulation (2016/679, EU GDPR)
  • UK Data Protection Act 2018 (UK GDPR)
  • Swiss Federal Act in Data Protection (nFADP)

Gulf Region

  • UAE Data Protection Law (Federal Decree-Law No. 45 of 2021)
  • KSA Data Protection Law (Royal Decree M/19)
  • Oman Data protection Law (Royal decree no 6/2022)

U.S. / Canada

  • EU-US Data Privacy Framework
  • Canadian Data Protection (Quebec Privacy Law 25)
  • Canadian Federal Data Privacy Law, Personal Information Protection and Electronics Act (PIPEDA)

African Region

  • Kenya Data Protection Law (2019)

For our airline and airport clients we are the only data protection consultancy that specialises in aviation data. We have a team of experts that have a background in working with aviation data. For this reason we set up the aviation Centre of Excellence (CoE).

Our team have supported a number of airlines in the UK, Europe, and Middle East with their data protection journey. We are also the Data Protection Officer for some airlines.

view of plane with sky scrappers

As well as supporting with becoming compliant with data protection, for airlines and airport there are a lot of contractual agreements with other airlines and third parties services. Where personal information is involved there will also be data protection clauses within the contracts. We regularly review these data protection clauses and advise the airline accordingly.

To understand more about our Aviation Centre of Excellence then have a look at our website:
Aviation Center of Excellence | DataHub Consulting

Datahub Consulting offer data protection services as modules. This allows for organisations to select only the services that you require. We understand that no two businesses are the same and for this reason we sell the services in this way. For any data protection law that we specialise in, we offer:

  • Initial gap analysis to understand where the gaps are and an action plan to bridge the gaps.
  • Implementation of actions to comply with the data protection law.
  • Data protection audit by an independent auditor with a detailed audit report
  • Data Protection as a Service
  • Telephone support for your internal data protection team.
  • Training and awareness with one of our experienced compliance experts that has a training background.
  • Data protection consulting service. Organisations can pay a day rate to have the use of one of our consultants to support your business. This consulting service on a day by day basis does not include data protection officer services. For data protection officer services please see our website for levels of service.(Data Protection Officer as a Service | DataHub Consulting).

Fundamentally, the role of the Data Protection Officer (DPO) is to be responsible for reviewing and monitor the organisations data privacy, inform and advise the organisation accordingly on any obligations, also be a point of contact for data subjects and supervisory authorities.

With different laws the requirement of a DPO can vary. The EU GDPR (General Data Protection Regulation) and the UK Data Protection Act 2018 does not require all organisations to have a data protection officer. In the GDPR articles it does state when a DPO is mandatory but there are also
If you are a global organisation, or an organisation that transfers personal information across borders then we would also recommend having a data protection office. With increased data protection laws coming into force in many countries having a data protection office is becoming more important.

We realise that all customers are not the same and have different Data Protection Officer requirements.

For this reason, our services and pricing are tiered so that we have a package for all organisations. From Level 2 and above you get a dedicated expert that will work with you, understand your individual needs, and integrate into your organisation.

Different clients have different DPO needs. The different levels of service means that smaller businesses can benefit without having to pay the same amount as a large global business. Also, an organisation may have an internal data protection team that can undertake most of the duties but just need support. For these reasons we have a 6 tier level of service:

  • Level 1
    Our Level 1 service allows you to have telephone support from our experts. This would be best level if you have an internal compliance person who may need minimal support.
  • Level 2
    Our Level 2 service is for any small organisations. Providing you with up to 2 hours of time per month with your dedicated expert, plus telephone support.
  • Level 3
    The Level of service for small & medium sized organisations, provides you with up to 4 hours per month with your dedicated expert, plus telephone support.
  • Level 4
    Our Level 4 service for medium to large organisations, provides you with up to 8 hours per month with your dedicated expert, plus telephone support.
  • Level 5
    The Level 5 service is for larger organisations, provides you with up to 12 hours per month of professional time with your dedicated expert, plus telephone support.
  • Level 6
    Tailored services for your organisation, which can be a fully customised approach to your management of data protection.

Our data protection services at Datahub are built around the client’s business and modular so the client only pays for services required. In summary we offer:

  • Data protection implementation services.
  • Dedicated compliance expert that will understand your business.
  • Risk Analysis of all processes.
  • Onsite Audits by an independent expert.
  • Creating or reviewing of compliance documents.
  • Training of staff and management by experienced trainers.
  • Data Protection Offices as a Service.
  • Data Compliance Legal Services.
  • EU and UK representation for non-EU organisations.
  • Provide expert advice on multiple data protection laws.

Datahub are experts in global data protection laws and support businesses large and small all over the world. We work with global airlines, airports, retailers, healthcare organisations, and energy providers.

Contact Our Team

If you are interested in knowing more about our data protection or cybersecurity services what are the next steps!

It wouldn’t cost you anything to start a conversation with our CEO who is a data compliance practitioner and subject matter expert in global data protection laws. Our CEO is an expert in data engineering with 15 years consulting experience. He has advised global brands all over the world on data compliance and privacy best practices.

Contact us: Contact us | DataHub Consulting
Datahub Consulting Website: Data Consultancy Services | Datahub Consulting
Datahub Risk & Compliance Services: Risk and Compliance | DataHub Consulting

UK Information Commissioners Office – Guide to Data Security: A guide to data security | ICO
European Parliament NIS2 Directive: The NIS2 Directive (europa.eu)
Cybersecurity and Data Protection: Cybersecurity and Data Protection: a necessary and powerful duo | European Data Protection Supervisor (europa.eu)

Find out how we can help

We do not employ salespeople; our team are all experienced technical specialists that can talk you through any of our services.

Contact us