Severn Hospice

Case Study

Kerry Davies, Director of Finance and Information at Severn Hospice, was concerned about how the hospice could best handle its data in a way that it complied with both GDPR and the NHS tool-kit surrounding information governance. Severn Hospice owns two hospices – in Telford and Newport – and 26 shops across the Midlands.

The Challenge

With the introduction of GDPR came a duty for public authorities or organisations which carry out certain types of processing activities to appoint a data protection officer (DPO). The DPO must have a certain level of independence from the organisation’s purpose for data collection – the role can be inhouse or outsourced. They must also be an expert in data protection, adequately resourced and report to the highest management level.

“We know several charities have already been fined for breaching GDPR. No matter how noble your cause, no organisation is exempt from GDPR’s jurisdiction,” says Kerry. “We hold large quantities of personal data including that of patients, staff and donors which all need to be protected with a high level of security. “This troubled us as we hold such a large amount of very different types of data. We lived in fear of the risk of hacking and, even worse, ransomware demanding payment in Bitcoins. “Some of the complexities surrounding information governance and how best to appoint an external data protection officer were problems we knew we needed outside support to solve. “A former colleague of mine had met Harj and the Aristi team at an event and mentioned them to me. “As we needed someone we could trust implicitly, we undertook an in-depth search: their website, Google, credit checks etc. Aristi came across so well in terms of both their offering and their professionalism.”

The Solution

A GDPR review to identify any gaps in compliance and develop an improvement plan

A Virtual DPO service providing access to GDPR expertise

Monthly compliance audits to provide assurance to senior management and identify next priorities

A penetration test to identify any security vulnerabilities in Severn Hospice’s IT systems and provide remediation guidance

Cyber Essentials Plus certification to provide assurance to internal and external stakeholders of Severn Hospice’s commitment to good cyber security

The Outcome

“As soon as we met Aristi, we immediately gelled with them. Their depth of experience was abundantly clear. Everything worked like clockwork. Their advice was always timely, really valuable, genuine and independent. I felt you could really trust their advice because their professionalism and reputation hangs on how well they protect us. “Some of the changes we needed were quite worrying,” says Kerry, “But Aristi assured us that many organisations were in the same position but at least we were getting our house in order. He made it so simple for us – advising us through the whole process, providing continuous support often at short notice.“


I suppose the absolute test will be when the Care Quality Commission (CQC) calls for an audit which they can do at any point. With little or no warning, they can come in and test every element of our business. Understandably, a key focus right now is information handling. Aristi has filled us with confidence that we will fly through the CQC’s security checks. That peace of mind is precious. But putting their professionalism and credibility aside – Aristi also make you painfully aware of how badly things can go wrong and the consequences, if and when, they do. Cost is just one factor. Being a charity, reputation is so important. Aristi has helped minimise our reputational risk. We’re now working with Aristi to continually perfect our systems to keep us one step ahead of cyber attackers

Kerry Davies

Director of Finance and Information

0121 222 5630

Got an enquiry? Please don't hesitate to contact us.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Our Services

Cyber Security

We support public and private sector organisations to reduce their cyber exposure.

To find out more, click the read more button below. Or, alternatively please get in touch.

Our Services

Managed Security

We can manage your cyber security and data protection for you.

To find out more, click the read more button below. Or, alternatively please get in touch.

Our Services


We provide training courses for key roles and general user security awareness.

To find out more, click the read more button below. Or, alternatively please get in touch.