Key information
Request reference number: MGLA240425-4623
Date of response:
Summary of request
Request and responses (in bold):
Under the Freedom of Information Act 2000, please provide the following information about your procurement of any
(i) external Data Protection Officer (DPO),
(ii) Data protection GDPR compliance services
for the period FY2022-23 to FY2024-25:
1. Current DPO arrangements
1.1 Is the organisation’s DPO and other staff that work on data protection compliance:
(a) An internal employee
(b) A DPO provided by an external service provider
(c) Hybrid (internal staff with external service provider support)
The GLA’s DPO is an internal employee. This has been the case throughout the period covered by your request, FY2022-23 to FY2024-25.
1.2 Where services are provided by external providers, please share the following information:
(a) The Company name(s)
(b) Annual spend by your organisation (FY2022/2023 through to
FY2024/2025)
(c) The highest day rate paid
(d) Contract dates (start/end/renewal terms)
(e) A brief description of the project or services provided (for
instance, project title or
internal reference)
(f) Services covered (e.g., audits, breach management, SAR management,
delivery of DPIAs)
- Please indicate what deliverables were produced
- Procurement method (e.g., open competition, framework agreement,
direct award) and name of the procurement framework, if applicable.
Not applicable
2. Consultancy Spend
2.1 What is the organisation’s, total annual expenditure on data protection/GDPR consultancy services?
2.2 For SoW/projects which have a spend of more than £5k), please share
the following information:
- Supplier company name
- The scope of the Project (e.g., "ICO investigation support",DPIA support, Internal Audit recommendation support)
- Spend
- Procurement method
Not applicable (nil)
3. Data Protection Compliance staffing
3.1 The Number of in-house data protection staff in the organisation? (FTE)
One Data Protection officer (FTE).
Additionally, there are 3 Information Governance Officers whose roles include elements of Data Protection (FTE)
3.2 Are there any vacant roles? (Yes/No)
There is one Senior Knowledge & Information Manager role (vacant)
3.3 Where there any ICO investigations, audits, or enforcement actions for the period from FY2022/2023 to FY 2024/2025?
The GLA was named in an ICO reprimand to the Mayor’s Office for Policing and Crime (MOPAC). The GLA supported MOPAC in an ICO investigations early 2023 as the data processor for the personal data that was breached. However, the reprimand was issued against MOPAC as the data controller. Details can be found at ICO reprimands London Mayor's Office for Policing and Crime for complaint web form error | ICO
The ICO investigated a cyber security incident and data breach involving the GLA and TfL in September 2024.
Cyber security incident in September 2024 - Transport for London
4. Future Plans
4.1 Is your organisation planning to put out to tender for any DPO/GDPR services in
the current financial year?
4.2 If yes please provide the following:
Expected timeline
Budget range
Key service requirements
Procurement method
There is no plan at this time for DPO/GDPR related services tender. The GLA does not hold information in scope of this part of your request.