DPO as a Service
What We Do > Data Protection Officer As A Service
What is a Data Protection Officer?
Article 37 of the GDPR provides for a Data Protection Officer (DPO) to be designated where the organisation is a public authority or body, or if certain types of data processing activities, for example, processing of special categories of data on a large scale or data relating to criminal convictions and offences, are conducted. Other than in these specific cases it is not mandatory to appoint a DPO.
However, before taking a decision whether or not to employ the services of a DPO, organisations are advised to review their particular situation and whether their data protection procedures would be adequate in the absence of a DPO. Through our GDPR Compliance services we can assist with this early stage analysis and determine the most cost-effective option for your organisation.
The Role & Duties of the Data Protection Officer
Article 38 of the GDPR establishes the position of the DPO within an organisation and the duties of that organisation - as either a data controller or data processor - to ensure the DPO is involved in all issues relating to the protection of personal data.
Article 39 of the GDPR details the tasks a DPO is expected to undertake. As a minimum these include:
- Informing and advising the data controller or data processor and its employees of their obligations to comply with the GDPR and other data protection laws;
- Monitoring compliance with the GDPR and other data protection laws, including managing internal data protection activities, training data processing staff, and conducting internal audits;
- Advising on data protection impact assessments when required under Article 35;
- Working and cooperating with the controller’s or processor’s designated supervisory authority and serving as the contact point for the supervisory authority on issues relating to the processing of personal data;
- Being available for inquiries from data subjects on issues relating to data protection practices, withdrawal of consent, the right to be forgotten, and related rights.
In parallel with the GDPR, other laws, like the Privacy in Electronic Communications Regulations (PECR), overlap in many areas and organisations that conduct any sort of Personalised or Direct Marketing activity will need to be aware of the impacts and ensure compliance with each. For most organisations compliance with the various legal requirements will prove to be quite onerous and justifiably so, as the additional costs involved with hiring a specialised resource outside of their specific business sector is an overhead they can ill-afford.
However, GDPR legislation recognises that many small- and medium-sized organisations will be economically unable to satisfy the requirement of employing their own DPO and, accordingly, makes provision for the engagement of a 3rd-party to provide the necessary expertise and oversight.
We also recognise this need and, through our Data Protection Officer As A Service, offer firms the opportunity to outsource their DPO responsibilities to us. There are a great many aspects with which our Associates can assist , including:
- Monitoring the organisations ongoing compliance with the GDPR and other data privacy-related laws;
- Conducting Data Privacy Impact Assessments as part of ogoing business as usual activities;
- Liaising with the relevant National Data Protection Authority (in the UK, this is the Information Commissioner's Office);
- Maintaining oversight of and providing guidance to the firms' in their data privacy and GDPR obligations;
- Where required, assisting the drafting of, or actually responding to, Subject Access Requests.
Irrespective of the GDPR-related activities conducted internally within an organisation, there are several advantages in employing an external or outsourced DPO Service, especially:
- Knowledge and experience within your specific business sector;
- Availability of independent, commercial expertise;
- Independence of position and removal of any potential employment conflicts of interest;
- Cost- and time effective solution;
- Ongoing advisory services ensuring organisationally-focused compliance activities;
- Bolt-on GDPR training and onging compliance advisory options.