HESA Drive Digital Transformation with Bridewell’s DPO as a Service

HESA, the Higher Education Statistics Agency, are the experts in UK higher education data. They are the designated data body for England and perform a similar function for the devolved nations. HESA collects, assures and disseminates higher education (HE) data in the UK and are a trusted source of HE data and analysis. Using this knowledge and expertise, they provide a rich, open source of HE information for data users.


In 2021, HESA needed a senior Data Protection Officer (DPO) within their organisation to manage all their statutory requirements, provide expert consultancy, and support with a number of major projects and digital transformation initiatives. Working with Bridewell, HESA were not only able to achieve these goals, but integrate their named DPO throughout the organisation to bring additional strategic value, manage resource levels, and maintain best data privacy practice.

Client: HESA

Service: Data Protection Officer (DPO) as a Service

Objective:  Integrate best-in-class data privacy expertise and experience into their organisation and drive large-scale projects

The Challenge

As a leading HE data source and one of the largest processors of data in the UK, HESA handles ‘special category’ (highly sensitive) data for over 30 million people across England, Wales, Scotland and Northern Ireland. To ensure that this data was handled securely and in compliance with all relevant regulations, HESA needed a highly qualified and driven DPO with the skills to both manage their data privacy function and support a major transformation project. For HESA, data is a core part of every aspect of their business and ensuring the right practices are in place is essential to their operations.

The challenge for HESA was finding a suitably qualified DPO to occupy the role at an appropriate cost and within a reasonable timeframe. As with many cyber security roles, data privacy experts are in high demand and there were few candidates with the right expertise and experience to match HESA’s requirements.

"We didn’t just want our DPO to come into HESA to run the data privacy team and maintain business as usual. We needed someone who could add strategic value to our processes and the major projects that are key to our current operations and future ambitions."
Louise Morrison
General Counsel, HESA

Given the size and scope of their organisation, data protection teams and architecture, HESA recognised the importance of finding the right person for the role and concluded that using a service provider to find a suitable DPO was a good option. Rather than undergoing a timely and expensive recruitment process, outsourcing to Bridewell assured them of a highly certified data privacy expert to lead their data protection team. 

The Solution

In parallel to seeking a DPO, HESA were already engaged with Bridewell in an implementation project. Given the success of the infosec project and their strong relationship with the Bridewell consultant running it, HESA decided to bring them into the business as their named DPO.

"Bridewell was our first choice for a DPO. I had only been working with [our Bridewell Consultant] for a few weeks but, given the quality of their work, it was clear that the standard they provided matched if not exceeded our requirements."
Louise Morrison
General Counsel, HESA

One of the first projects to support was a heavily technology-based business transformation, ‘Data Futures’, which was designed to wholly upgrade HESA’s existing infrastructure. The goal was to build a new technology platform within AWS that was fit for the digital age and would drive efficiencies in the higher education sector. Embedding data protection controls whilst maintaining a streamlined and agile programme of work was essential, given the scale and value of the project.

HESA’s named DPO supported across the entire programme, implementing a governance structure, offering complex technical advice in real-time throughout development, and ensuring that data protection was embedded by design. This was further supported by penetration tests from Bridewell’s offensive security team to ensure the integrity of the new platform.

Further to the Data Futures project, HESA also required their named DPO to support in a merger transaction with Jisc. In this capacity, they performed all required data protection workstreams in connection with the merger. Thinking ahead, a roadmap was created by
our DPO support to determine how the two separate data protection teams from each of the merger partners could be most effectively integrated after completion.

"Chris, our named DPO, has been a trusted senior partner throughout the merger."
Louise Morrison
General Counsel, HESA

The Results

With Bridewell’s DPO as a Service, HESA were able to rapidly bring significant data privacy expertise and experience into their organisation. With a Bridewell consultant as their named DPO, they have a highly qualified, reliable data privacy expert who singlehandedly advises the business and works with them to solve their challenges. Regularly communicating with and providing recommendations to key internal and external stakeholders, they have performed a fundamental role in major projects essential to HESA’s operations.

Leading their data privacy team, their named DPO has written the entire data privacy compliance program and provided substantial support in improving multiple data workstreams.

"With Bridewell as our named DPO, we’ve been able to hand over full responsibility to our consultant. It’s an end-to-end service and we trust in their expertise and understanding of our business to advise our board, solve our data privacy challenges, and support our business objectives."
Louise Morrison
General Counsel, HESA

They have helped manage resource levels of the existing data privacy team and brought on additional Bridewell consultants when needed for further support. This is not just true of their typical business as usual operations but of their role in Data Futures and the merger, where they have acted as a trusted, senior adviser.

"A lot of our external stakeholders have come to rely on Chris [our named DPO]. He has formed a significant part of day-to-day operations and is an ambassador of the company. His high performance has helped us establish a bestin- class team and has raised the status of HESA within our sector."
Louise Morrison
General Counsel, HESA

Since using Bridewell’s DPO as a Service, HESA has taken on another of Bridewell’s data privacy consultants to provide further bandwidth and is open to working on additional projects with them in the future.

For more information on our DPO as a Service, or our other data privacy services, get in touch with one of our consultants at hello@bridewell.com or +44(0)3303 110 940.