Scope of Activities

Inform & Advise

Continuous advice on obligations under UK GDPR and related legislation; available to answer staff questions as they come up

Monitor Compliance

Annual plan of audits, spot‑checks and reviews covering policies, training completion, records of processing, technical controls and vendor management

DPIA Support

Written advice on Data Protection Impact Assessments and documented sign‑off before high‑risk processing commences; maintenance of a DPIA register

Training & Awareness

Preparation of induction modules and annual refresher material; delivery of at least two tailored workshops per year

ICO & Data Subject Liaison

Acting as formal contact point for the ICO and data subjects; coordinating responses to consultations, investigations, and complaints

Risk‑based Advice

Ongoing risk assessments that consider “the nature, scope, context and purposes of processing”

Configuration & On‑boarding

Activate GDPR framework in Drata

Map existing controls to Drata’s GDPR control library

Tailor policies to customer context (information‑security policy, personal‑data management policy, vendor‑management policy)

Data Inventory & Evidence

Create or import data processing records

Attach proof for each control (e.g. policy documents, screenshots) in Drata; define automated evidence collection and custom evidence where automation is unavailable

Task Workflow

Set up automated and custom tasks for policy renewals, evidence reviews, vendor reassessments, and risk‑management activities; assign owners and due dates

Dashboard Readiness

Configure GDPR Readiness dashboard, define target completion dates, and establish remediation plans for “not ready” controls

Knowledge Transfer

Train customer administrators and control owners on Drata task management, evidence submission and reporting functionality

Contractual Terms

Review and approve privacy and data processing clauses in supplier and customer contracts; ensure Article 28 processor terms are in place

Interpretive Questions

Joint analysis when statutory interpretation, case law or regulatory updates affect risk posture

Incident Response

Coordinate legal privilege, regulator communications, and data subject notification wording

Regulatory Monitoring

Exchange updates on legislative changes (e.g., Data (Use and Access) Act 2025) and plan remediation

One‑off at service start

DPO appointment letter and ICO notification

Drata GDPR configuration (framework enabled, controls mapped, tasks scheduled)

Updated Record of Processing Activity (ROPA)

Quarterly

DPO Compliance Report (management‑ready), covering audit results, trends, outstanding risks and recommendations

Updated GDPR Readiness dashboard snapshot exported from Drata

Per DPIA

Written Data Protection Impact Assessment advice note and outcome record

Per breach/complaint

ICO liaison file note, response letters, and lessons‑learned summary

Annual

Board presentation on GDPR compliance posture

Refresh of training content and delivery metrics

Independence

The DPO reports functionally to the customer’s board (or equivalent)

Meetings

Monthly operational meeting with privacy, security and legal leads

Quarterly report presentation to senior management

Ad‑hoc sessions as required (e.g., for incidents)

Escalation

Formal escalation route to the board chair or nominated director if guidance is overridden or ignored

Resources

Customer provides timely access to staff, systems, and documentation required for the DPO to discharge duties