Data Protection Officer (or DPO) is a position or contractor that helps the company introduce and maintain compliance with the data protection laws across the European Union and European Economic Area. A Data Protection Officer cannot be confused with a Chief Protection Officer, Chief Privacy Officer or Chief Information Security Officer (and cannot be replaced by the chief officer the company might have in place before May 2018).
The position of the DPO was at first introduced in the Data Protection Directive of 1994, the predecessor of the GDPR. In May, 2018, the position was reintroduced as a mandatory in some cases, now without any corresponding requirement in the national law. If the company meets the thresholds set out in Article 37(1) of the GDPR (see below), it automatically needs a DPO to be appointed.
You can learn more about the DPO’s after visiting our Blog.
DPO as a service is:
Training and keeping a high level of knowledge of the team
DPO helps the team to understand data protection policies and learn important points
High performance of employees confirms the overall compliance of the company
DPIA for new processes/products
DPO monitors the need for DPIA and helps employees to carry it out
Planned audit of data protection documentation
The DPO sets a schedule for document revision and updates accumulated business process changes.
DPO monitors law amendments and timely transfers them to the company’s activity of responding to a request process
Communication with users (requests response)
DPO is one of the first people to be contacted by the data subject and he/she coordinates the process of responding to the request
Communication with customers (privacy questions)
DPO assists the sales department regarding the negotiations with the clients. Together with the marketing department, he shows the company’s respect and compliance with data protection rules during communication with the clients.
Communication with the data protection supervisory authorities
DPO communicates with the supervisory authority and prepares responses to requests, as well as contacts the authority with a request for consultation or notification of an incident
Privacy Consulting
Training and keeping a high level
of knowledge of the team
DPO helps the team to understand data protection policies and learn important points
High performance of employees confirms the overall compliance of the company
DPIA for new processes/products
DPO monitors the need for DPIA and helps employees to carry it out
Planned audit of data protection documentation
The DPO sets a schedule for document revision and updates accumulated business process changes.
DPO monitors law amendments and timely transfers them to the company’s activity of responding to a request process
Communication with users (requests response)
DPO is one of the first people to be contacted by the data subject and he/she coordinates the process of responding to the request.
Communication with customers (privacy questions)
DPO assists the sales department regarding the negotiations with the clients. Together with the marketing department, he shows the company’s respect and compliance with data protection rules during communication with the clients.
Communication with the data protection supervisory authorities
DPO communicates with the supervisory authority and prepares responses to requests, as well as contacts the authority with a request for consultation or notification of an incident
Our privacy experts:
Kateryna Dubas
Head of Privacy, CIPP/E
Anton Tarasiuk
Managing partner, CIPP/E
Igor Kotkov
IT lawyer
FAQ:
It doesn’t matter what role your organisation plays in a chain of data processing. Both controllers and processors have, given they meet the threshold, hire or contract a DPO.
Article 37(1) of the GDPR requires the designation of a DPO in three specific cases:
- where the processing is carried out by a public authority or body;
- where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale; or
- where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences.
If you are not sure what some of these definitions mean with respect to your processing practices, you may ask our privacy team. Schedule a call to learn more of our DPO as a service and whether we can be a perfect match for your organisation.
This list can be complemented with the requirements of the EU member state law you have to comply with. So, you should check your national law to know whether you have to designate a DPO (especially if you are working with health data, banks, national IDs, religious or legal information, or otherwise have access to the data protected by confidentiality or secrecy).
Also, be aware of the differences in addressing the thresholds. For instance, one state can calculate “large scale processing” in comparison of the user percentage in the population of a specific area. On the other hand, another state may link the “large scale processing” with a particular number of unique users in a company’s database.
However, if you have your doubts, it may be feasible to hire one just in case.
The GDPR doesn’t set the strict rule to employ the DPO. On the contrary, it clearly mentions the “external” DPOs, describing the contents of the service contract if you decide to outsource this task to a skilled independent professional (or even a privacy team).
Article 37(5) provides that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39’. Recital 97 provides that the necessary level of expert knowledge should be determined according to the data processing operations carried out and the protection required for the personal data being processed.
Other skills include:
- Level of expertise (in relevant fields).
We worked with gamedev, cloud solutions, e-commerce, online education, AdTech and digitalised offline businesses. Please look at our Clutch page to learn more. - Professional qualities.
We work closely with the privacy laws of the U.S., the European Union and Ukraine. We are certified and trained lawyers, and we possess a relevant expertise in dealing with the DSARs, assisting with the supplier assessment checks and drafting data processing agreements. - Ability to fulfil its tasks.
We have a variety of services to offer. From relevant consulting and drafting necessary documents to navigating complicated court proceedings and out-of-court confidentiality violation disputes.
The GDPR makes it clear that it is the controller, not the DPO, who is required to ‘implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation’ (Article 24(1)). Data protection compliance is a corporate responsibility of the data controller, not of the DPO.
However, the data controller benefits from the DPO’s expertise and insights as a counsel. The DPO therefore is accountable to the company’s top management, including the highest management circles. CEO, CFO, CISO, CLO and other chief officers shall keep in mind the advice of the DPO and make sure that the DPO possesses all necessary resources to provide them with the most relevant information and assessment results.
DPO is closely linked to the public image of the company, as the DPO is often a first contact of a dissatisfied user or worried tech journalist. Choose your DPO wisely.
Sure!
Get in contact with one of our resident privacy experts and schedule a call to see whether we’re on the same page with your tech.
You may request an NDA to be signed prior to the call. Otherwise, you can stop by our Kyiv office and enjoy the scenery of the city centre during a cup of fresh coffee. Make sure you’ve made the appointment so we will be ready to answer your questions.