How to Choose Between Ongoing and Project-Based Data Protection Services for Your Business
Written by Data Protection People
Data protection services fall into two categories: ongoing and project-based. But what do they involve, and which is the best for your business needs?
Choosing between ongoing and project-based data protection services often comes down to how often your organisation handles compliance requirements. Businesses with frequent SARs or complex processing activities may benefit from ongoing support, and organisations with a specific compliance need will find project-based services more practical and cost-effective.
TL;DR
- Ongoing services provide continuous data protection support through a retainer or an outsourced DPO arrangement.
- Project-based services are ideal for specific, outcome-focused needs, such as GDPR audits or complex SARs.
- Larger organisations typically benefit from ongoing support due to higher data volumes and complex regulatory compliance.
- The right choice depends on organisational needs, including internal expertise, regulatory obligations and workload.
What Is the Difference Between Ongoing and Project-Based Data Protection Services?
Ongoing services offer continuous support, acting as an extension of your in-house team, while project-based data protection services are focused on a single deliverable or phase within a defined period of time.
Ongoing Data Protection Services
Ongoing data protection services give you access to continuous support from experienced data protection consultants who monitor compliance activities.
It is usually delivered through a monthly retainer, or outsourced DPO arrangement, with predictable budgeting.
Typical services include:
- Managing Subject Access Requests (SARs)
- Reviewing Data Protection Impact Assessments (DPIAs)
- Policy and procedure updates
- Staff guidance and training
- Compliance monitoring
- Incident response support
- Regulatory advice
Project-Based Data Protection Services
Project-based data protection services, on the other hand, have a fixed scope and defined deliverables. They address a specific challenge, rather than offering general support.
There is a one-off cost for the project, which can include work such as:
- GDPR audits
- Gap analyses
- DPIA reviews
- SAR management for a complex request
- Policy implementation
- Data mapping
Which Businesses Benefit Most From Ongoing Data Protection Support?
Ongoing retainer support is often most valuable for organisations that deal with large volumes of personal data, complex processing activities or frequent compliance requirements.
Businesses That Manage High Volumes of Personal Data
Businesses that handle large volumes of personal data are at an increased risk of non-compliance. They might also deal with more frequent SARs that require specialist support.
Healthcare providers such as GP practices, clinics and NHS organisations all handle large volumes of special category personal data, which comes with their own set of complex data protection requirements.
Other sectors that process high volumes of personal data include housing providers, educational institutions and financial services firms.
Organisations Without an Internal DPO
Many organisations don’t have a full-time DPO. It is costly and only offers one point of expertise. Ongoing data protection support offers a cost-effective alternative that gives businesses flexibility as their needs change.
Businesses That Need to Maintain Compliance Throughout the Year
Businesses that are constantly changing and need to maintain compliance year-round will benefit from ongoing data protection support.
It could be that you’re adding new processing activities, onboarding new suppliers or creating new policies, and you’re conscious that this puts you at risk of non-compliance.
When Is Project-Based Data Protection Support Better?
Project-based support is ideal when a business has a specific objective or needs a specialist for a defined piece of work and doesn’t have the right resource or expertise internally.
Completing a GDPR Audit
A GDPR audit should be very in-depth, uncovering your business’s compliance gaps, benchmarking against current requirements and producing a prioritised action plan.
An independent data protection expert who can give you a clear, actionable report is ideal here.
Managing a Complex SAR
From tight deadlines when you’re trying to manage other workloads to reviewing and redacting potentially hundreds of documents, along with the risk of complaints to the ICO, a complex SAR can be very overwhelming and resource-heavy.
A SAR handling service ensures swift and accurate responses, without pulling your team away from their day-to-day work.
Implementing New Policies or Procedures
New privacy notices, incident response procedures or employee monitoring policies require more than just a tick box ‘have you read it’ exercise. The ICO expects your staff to be adequately trained, and that you can evidence compliance.
Outsourced data protection experts can assist with the creation of new policies and procedures, as well as help you demonstrate accountability.
Conducting a DPIA
A data protection impact assessment is required if you:
- Conduct a systematic evaluation of individuals’ personal aspects using automated data
- Process sensitive data on a large scale
- Systematically monitor public areas on a large scale
A DPIA is time- and resource-intensive, and hugely benefits from outside expertise. It will ensure that the assessment is done efficiently, expertly and with minimal delay.
Which Option Is Best for Different Sectors?
Different industries face different compliance pressures, making the ideal support model dependent on sector and activity.
| Sector | Recommended Approach | Why |
|---|---|---|
| Healthcare | Ongoing support | Sensitive data and regulatory obligations |
| Education | Ongoing support | Frequent data requests and safeguarding requirements |
| Housing Associations | Ongoing support | Large resident datasets |
| Manufacturing | Project-based or hybrid | Lower regulatory complexity but may have project requirements |
| Professional Services | Hybrid approach | Ongoing advice with project requirement |
| Startups | Project-based | More cost-effective initially |
How Do You Decide Which Service Model Is Right for Your Business?
The best choice for your business depends on your compliance workload, risk profile, internal expertise and available resources.
Ask these questions:
- How often do we handle personal data? If the answer is all the time, you’re more likely to need continuous support.
- Do we regularly receive Subject Access Requests? If the volume of SARs feels sporadic and manageable, but they are increasingly complex, then you may need project-based support as and when you need it.
- Do we have internal data protection expertise? If you lack internal expertise and find yourself in need of day-to-day management, ongoing data protection support may be best.
- Would compliance failures create significant operational or reputational risk? If yes, you may need ongoing support to reduce the risk of non-compliance.
Get The Support You Need From Data Protection People
There’s no one-size-fits-all approach, which is why we strive to make Data Protection simple to understand. Our world-class team of experts offer support tailored to you, whether you’re a healthcare organisation with specific regulatory needs or a startup in need of support to complete a GDPR audit.
FAQs
What are the benefits of hiring an outsourced DPO?
The benefits of hiring an outsourced Data Protection Officer (DPO) include:
- No conflict of interest
- Access to industry experts
- Cost-effective
- Maximal productivity
- Minimal data breaches
What is the average cost of a retainer package?
The average cost of a data protection package depends on what level of support you need. Get in touch with our experts, and we’ll be able to give you a quote.
How much weekly support does a business on a retainer package get?
It depends on how much support you need to ensure that your business remains compliant. A business with lower needs requires fewer days of support.