ProDPO™ is a team of experienced data professionals led by James Castro-Edwards and Mick Gorrill. We assist businesses with their increased responsibilities under the GDPR. Having a data protection officer is the cornerstone of good practice for companies and ProDPO™ provides DPO services on an outsourced basis, taking the burden away, and enabling you to focus on running your business.
Meet the team
James Castro-Edwards is a solicitor specialising in data protection. He advises domestic and multinational organisations, including FTSE 100 and Fortune 100 companies, on a broad range of data protection issues. As well as providing legal advice, James has developed and delivered innovative data protection training programmes, including a data protection officer training program that was accredited by a European government and regularly provides data protection content for The Law Society. James frequently speaks on data protection matters and is widely published, regularly appearing in the national and trade press. He is regularly asked for comment in the media, including TV and radio.
James Castro-Edwards wrote The Law Society text book on the GDPR. Titled “EU General Data Protection Regulation: A Guide To The New Law”, you can find out more here.
(Head of Data Protection Compliance and Regulatory Affairs)
Mick Gorrill retired from the Greater Manchester Police in May 2004 after thirty years’ service. He became the Head of Investigations at the Information Commissioners Office. He was responsible for the investigation of all criminal offences in the Data Protection Act 1998. In 2005, following a restructure of the ICO, he was promoted to Assistant Information Commissioner, Head of the Regulatory Action Division. He was responsible for Audit, Investigations and Enforcement. In 2010 he became Head of Enforcement at the ICO and was involved in the issuance of the first monetary penalties. At the ICO he led many investigations into serious data protection security breaches and complicated data protection compliance cases. Since retiring from the ICO in 2011, Mick has been employed by three London privacy law firms as a data protection consultant.
Elizabeth is an associate solicitor who advises clients on a broad range of data protection issues and regularly advises on complicated data protection matters. Elizabeth regularly advises on data protection impact assessments (DPIAs), data sharing arrangements and the impact of data protection law in complex areas such as direct marketing and the use of website cookies, and employee vetting. Elizabeth has written a number of White Papers including advising a client on the data protection implications of a digital migration of an application system, and advising clients on their roles as a controller or processor in the context of providing statutory services to local authorities, and conducting detailed background checks.
The team has industry experience spanning a number of sectors. Our industry expertise helps organisations meet their increased responsibilities under the GDPR.
The advances in technology for the healthcare devices sector brings continued challenges for many organisations.
The increasing responsibilities under the GDPR have significant implications for those who are dealing with personal data related to health in the context of healthcare devices.
Providing quality through expertise, we work with medi-tech companies who are looking for an alternative solution to directly employing a data protection officer.
Providing European DPO services to med-tech organisation
Background: This US Headquartered, NASDAQ listed medical devices company develops, manufactures and sells a family of surgical products and cardiovascular devices, to customers worldwide. Its annual turnover for 2019 was US$ 230 million. It has offices in the US and EU and a total global staff of approximately 750.
The company holds personal data relating to its employees and to healthcare professionals (HCPs) that use its products. It also holds personal data (including personal data relating to health, one of the ‘special categories of personal data’) gathered from clinical trials.
The company undertook a General Data Protection Regulation (GDPR) readiness project in 2017/2018, which was managed by the compliance team operating from the client’s US headquarters. The company concluded that it processed special categories of personal data on a large scale, thereby triggering Article 37 of the GDPR, which requires the appointment of a data protection officer (DPO).
The GDPR permits the role of the DPO to fulfilled by an external service provider. The company decided to use an outsourced DPO as it felt there was not likely to be sufficient work to justify hiring a full-time employee, and to ensure that the role was performed independently and to benefit from the external DPO’s experience gained from other clients.
The company approached ProDPO with a view to obtaining external support for its existing compliance team, on a ten hours per month basis. ProDPO has provided remote support by telephone and email to the client’s existing compliance team, reviewing data protection related documentation and advising on data protection related queries such as how the client could lawfully promote its knowledge sharing web platform and conferences to HCPs.
The client subsequently hired an internal DPO, to whom ProDPO provided support in relation to particularly complex issues, where a second opinion was required and also providing support with overspill work when the internal DPO required additional capacity. ProDPO has worked with this client since May 2018.
ProDPO has been able to bring its breadth and depth of experience to benefit the client, by providing practical, risk-based advice. For instance, the ProDPO team was able to draw on its experience gained from other clients in relation to direct marketing, when advising this client on how to promote its HCP web platform.
With the adoption of the GDPR in 2018 the EU is raising the bar in how it protects the interests, rights and data security of individuals. The GDPR replaced the Data Protection Act 1988.