Data Protection Officer Outsourcing
GDPR introduced a new governance structure in the form of the data protection officer (DPO). The role of the Data Protection Officer is clearly set out and “is a combination of advisor, educator and point of contact for both the supervisory authority (SA) and data subjects”. (Kelleher and Murray, EU Data Protection Law, 2018 at p.246) The DPO’s function is one of seniority and total independence within the overall operation of the data controller. It represents a robust means of internal regulation with compliance as the ultimate goal.
It is not mandatory for every organisation to appoint a DPO but the controller and the processor shall designate a DPO in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale ; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Art. 9, and personal data relating to criminal convictions and offences referred to in Art. 10.
“A DPO may be a member of staff at the appropriate level with the appropriate training, an external DPO, or one shared by a group of organisations, which are all options provided for in the GDPR”. (Office of DPC, Guidance Notes on DPO)
Many smaller organisations will struggle to find an appropriately trained person to fulfil the role of DPO. Employing one full- time may put pressure on resources. A decision to employ a part-time DPO may have been taken without a full awareness of the extent and scope of the responsibilities that the role demands. Where the DPO acts in another capacity, there is a danger that the effectiveness of the DPO’s role can be undermined and compromised.
GDPR foresaw these possibilities and Art. 37 (6) allows for the DPO to “be a staff member of the controller or processor, or fulfil the task on the basis of a service contract”.
This is where the expertise of GDPRXpert is most effective and beneficial. We will carry out the roles, functions and duties of the Data Protection Officer in an independent and objective manner. Our knowledge and experience will immediately augment your organisation’s compliance level , by facilitating accountability and transparency. GDPRXpert provide a high quality external Data Protection Officer service. It is cost effective and allows a more measured allocation of resources . At the same time, it delivers and executes a practical and structured compliance solution for the smaller business or organisation.
Remember! We are the experts. You don’t need to be an expert. You just need to be compliant. Our data protection officer service will get you there safely.