Churchill Group is one of the UK’s leading soft service providers. It specialises in, cleaning, security, environmental compliance and guest services across a variety of sectors. Its long list of clients includes British Land, The Instant Group, Scottish Power, The Institute of Directors, GTR, Eurostar, Network Rail High Speed, LSER, JLL, Port of Dover, Canary Wharf Management, Norton Rose, Dorset Fire and Rescue, c2c and The GLA.
Churchill prides itself on being easy to do business with. Its ethos is to do right by its people, customers, society at large and the planet, with digital transformation as a core principle in making this happen.
In Brief
- Churchill handles large quantities of personal, specialist and financial data for its customers, contractors in its supply chain and its c14,000 employees.
- norm.’s data protection as a service (DPaaS) is a flexible and comprehensive offering, individually tailored to complex business environments with the highest information security requirements.
- By appointing norm. to be its external data protection officer (DPO) function, Churchill Group has met its data protection needs in a speedy and affordable way. Its undiluted access to norm.’s expertise, combined with guidance on GDPR and other compliance matters, has eased the workload on its teams and opened doors to future business growth.
The challenge
With so many high-profile clients across the public and private sectors, Churchill is conscious of the immense responsibility to safeguard the data it holds and handles, which also includes the sensitive data its personnel encounter in a physical sense.
For some time, Churchill already had an established Group General Counsel, Simon Clegg, at the helm of its data protection programme, but some areas such as GDPR compliance remained a shared responsibility across various departments. Following a period of growth, Churchill recognised the need to hire a specialist DPO, who would take ownership of the programme in line with a clearly-defined brief, bring state-of-the-art expertise in this area, and who would free up resources elsewhere.
“We began by searching for budding DPO applicants but it quickly transpired that typical salaries are in excess of the budget we’d assigned to the role,” Simon explains. “We also realised we’d be taking a risk, as there would be no guarantee we had truly found the right person until considerable time had elapsed. There were too many uncertainties.”
Simon then turned his attention towards legal firms as another viable option, but found that they don’t typically offer DPO services – rather, they perform specific or discrete tasks on an ad-hoc basis. What Churchill Group was looking for was an embedded, responsive and flexible service which it could use on a daily basis.
“This is when we had a lightbulb moment,” Simon says, “to outsource the role of the DPO, rather than hire a new one internally. The benefits of such a move seemed clear: a virtual DPO would be sufficiently experienced right from the start, available to us as and when required and – crucially – would operate within budget.”
The solution
During this search for an external DPO, Simon was put in touch with Robert Wassall, Director of Legal Services at norm., and he realised he’d found the right person for the job: “Robert makes such a dry and all-consuming topic as GDPR engaging. He and his team quickly met and exceeded our expectations of what is possible with an external DPO.”
norm.’s DPaaS services provide a comprehensive review of business processes and policies, complete with guidance and personnel training to ensure organisations stay compliant and meet the obligations of the GDPR, such as policies, subject access requests (SARs), data protection impact assessments (DPIAs) and breach handling.
Its Data Protection Premium Cover in particular was designed for organisations such as Churchill Group, which
- Handle special category data and/or financial data about individuals
- Transfer personal data outside the UK/EEA
- Rely on multiple third-party providers to deliver a service or product
- Require robust data protection provisions in their contracts
Under this Cover, Churchill receives norm.’s most hands-on service, including:
- Implementation of the ‘Action Plan’ containing tailored recommendations and benchmarks for the business
- Review of contracts the business holds with suppliers/partners to assess these from a data protection standpoint
- Personal Data Breach Service Availability 24/7/365
- Guidance and support for International Data Transfers
- Attending internal meetings and developing a data protection culture.
The Benefits
“Onboarding norm. could not have been easier. Within a week of signing the contract, the cogs were in motion. Robert and his team got straight to work, reviewing our existing policies with input from us, while also assessing where our sensitivities lay as a business,” Simon explains. “They were proving their worth from day one – which compares very favourably with the time it would take to get the same value from a new hire.”
The new service ticked all the boxes, including the price-point. norm. estimates that its data protection managed service costs up to 70 percent less than hiring an in-house DPO and is also a significant cost-saving compared to legal firms’ retainers.
“All the alternative options combined could not have given us such a comprehensive service as norm.’s, but it would have cost us multitudes to go with either one of them,” says Simon.
“The flexibility of the service is equally impressive. We consult with norm. sometimes daily, Robert has presented at our Group Leadership meetings, and it feels like he and his team are just part of our own team – just an extension of us and our values,” he continues.
By taking full ownership over data protection, norm. has relieved Simon and his colleagues of previously laborious compliance duties, as well as some more routine communication with partners and suppliers – to whom, the perception is of one seamless operation. Simon himself is now able to focus his attention on more strategic tasks to aid the company’s further growth, including navigating new, more scrupulous contracts in the public sector.
As Churchill Group sets its sights on ever-larger and more complex business agreements, norm. is by its side to provide guidance, assist in attaining new accreditations such as ISO27001 and help open new doors with greater ease on the data protection front.
“We’ve achieved a great deal over the past year of working with norm.,” Simon concludes. “The company’s no-drama, no-nonsense approach to data protection really struck a chord with us – it’s a natural fit with our ethos of doing right by all and helps us deliver on our mission of making people happier and safer in their environments. We look forward to seeing what the future holds for our partnership.”