Who should be appointed as DPO?
This can either be an internal position, or can be assigned based on a service contract. Any assignment of a DPO should be free of conflict of interest, and should report to the highest body in the organisation. While a DPO could also have another position in the company, this means that it can not be combined with many other roles, such as CTO, CEO, CMO or anyone in a department with an interest that is not aligned with data protection. The DPO must have the freedom and independence to independently report breaches to the authorities.
If you are dealing with sensitive data, data related to criminal convictions or monitoring users on a large scale, it is likely you will need to appoint a Data Protection Officer (DPO).
DPO as a Service/External DPO
Unless you represent a large organisation, it is usually much easier and more cost efficient to assign an external DPO with a service contract to monitor your compliance for you.
TechGDPR offers DPO services based on a monthly contract, where a certain amount of service hours are included every month. A DPO from TechGDPR is not only experienced and skilled, he or she also has the technical know-how to talk with you on a technical level, and is your trusted advisor for any privacy and data protection related matters. It’s not just about compliance, it’s also about doing the right thing for your data subjects and your organisation, and TechGDPR helps you with that.
The key tasks of a DPO under the GDPR, include the following activities:
- Informing and advising the data controller or the data processor and the employees who carry out processing of their obligations.
- Monitoring compliance with the GDPR, with other provisions and with the data protection policies of the controller or processor.
- Assigning responsibilities, raising awareness, and training of staff involved in processing operations.
- Performing or leading GDPR related audits.
- Performing or providing advice about data protection impact assessments.
- Cooperating with the supervisory authority.
- Acting as the contact point for the supervisory authority on issues relating to processing.
- Be responsible for prior consultations.
- Having due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Beyond the tasks specified in the GDPR, a TechGDPR Data Protection Officer will help you with many other things as well: handling subject access requests, change advisory and keeping you up to data about technology-related GDPR matters.