Background
The HATS Group is the UK’s leading private provider of patient transport, home-to-school transport for children with Special Educational Needs and Disabilities (SEND), and private passenger hire services. Supporting NHS Trusts, local authorities, and a wide range of public and private healthcare bodies, HATS Group delivers over two million passenger movements each year.
As a growing organisation, HATS Group recognised the need to further strengthen its data protection practices to support continued expansion and increasing regulatory demands. They engaged The DPO Centre to provide expert advice and practical support in building a more robust and structured approach to data protection compliance.
Key Challenges
- Managing multiple DSARs
- Maintaining RoPA and IAR
- Oversight of vendor management process
Solution
HATS Group experienced a significant increase in the volume and complexity of Data Subject Access Requests (DSARs) and engaged The DPO Centre’s specialist DSAR team to support large and high-volume requests. Their designated DPO also implemented a clear internal process and delivered targeted staff training on how to recognise, manage, and respond to requests appropriately.
The DPO Centre assisted HATS Group with the review and development of a comprehensive Records of Processing Activities (RoPA) and information asset register (IAR), both of which are legal requirements under the UK General Data Protection Regulation (UK GDPR). Working across departments, the DPO mapped data processing activities, clarified lawful bases, and assigned process owners, with the register now regularly maintained.
To strengthen operational consistency, the DPO also designed and implemented a formal vendor management workflow with supporting documentation. This structured process ensures that appropriate risk assessments and due diligence are consistently applied when onboarding new suppliers or evaluating new features and functionalities of existing ones.
Outcome
James Graydon, People Director at HATS Group, said: ‘Our business processes large quantities of sensitive and third-party information, so strong information governance is essential to reassure our business owners and stakeholders. Since 2021, The DPO Centre has helped us establish great information governance foundations across the company. They have also supported us with tenders, audits, DSAR’s, and breaches in a calm and supportive way through to resolution. The consultants that I have had the pleasure to work with have been so professional and knowledgeable, guiding us through best practices and governance. I could not imagine being a Senior Information Risk Owner (SIRO) without their support.’
