Data Protection Officer Outsourcing

  • Your company must appoint a DPO (Data Protection Officer) under Article 37 of the GDPR, but there are no specialists in the labor market with the relevant competencies?
  • You trained an employee on GDPR, but s/he is now leaving for another company for a bigger salary?
  • You are afraid that you will have to communicate with the authorities, but no one in your company wants to take responsibility for the GDPR?
  • You want to appoint a DPO, and you also need her/him to work effectively and to gradually bring your company in line with the GDPR?
  • You are already doing something about the GDPR, but you do not know if it is right?
  • You are acting blindly due to the lack of experience?
  • You spend a lot of time, but you cannot distinguish the important from the secondary?
  • You spend a lot of time and energy on every decision?
  • Do employees, including the DPO, postpone tasks on personal data “for later” because they have direct and more urgent responsibilities?

Entrust DPO responsibility with certified professionals to comply with Article 37 of the GDPR and become GDPR-compliant!

Do you need a DPO?

The GDPR requires the appointment of a DPO (Data Protection Officer), that is, a person responsible for the protection of personal data in cases where your company, by the nature of its activity:

  1. regularly and systematically monitors data subjects on a large scale, for example, using video surveillance cameras, geolocation, or tracking;
  2. works with a large number of sensitive data, in particular related to health, genetics, biometrics, and information on which it is possible to establish racial or ethnic origin, political views, religious or philosophical views.

A DPO is needed so that all processes for protecting personal data have a single owner (process owner), who coordinates the efforts of many departments and is responsible for it. In addition, a DPO will be able to help the organization in maintaining its GDPR compliance as:

  • new processes and projects with personal data are introduced;
  • the structure of the organization is changing with new departments and divisions, branches and representative offices, where you need to configure the process of protecting personal data again;
  • new untrained employees who may violate the Regulation out of ignorance;
  • new Data Processing Agreements with customers or contractors are signed.

Inhouse DPO

It is good to have a competent DPO on staff, as:

  • s/he knows the processes within the organization well;
  • s/he is easily accessible;
  • information and knowledge remain within the organization.

However, there are very few competent DPOs. According to some estimates, in the EU alone it is now necessary to hire more than 75,000 full-time DPOs. Trained specialists are sorely lacking even in Western Europe, not to mention the CIS countries.

Therefore, domestic companies often appoint one of the existing employees to the DPO role, increasing their workload, as well as investing considerable time and money in her/his training in GDPR, for example, in our Data Privacy Professional course.

At the same time, there is always a risk that the DPO trained with your financial resources will go to another organization, where s/he will be offered better conditions.

It is also a common story when personal data tasks, assigned as a part-time job to an employee, are postponed "for later", since the main job remains the priority.

Another example, the information security specialist who puts on the DPO cap will be primarily concerned with technical measures related to information security, rather than informing data subjects about personal data collected by the company. And s/he will certainly not be able to correctly draft documents such as a privacy policy or a contract with a data processor.

The lawyer, appointed by the Data Protection Officer, often continues to work on coordinating business contracts, postponing technical measures that he does not understand.

Outsourced DPO

In accordance with the Regulation, the DPO function can be outsourced.

This is often the most profitable decision, because you get an experienced and competent specialist who is able to quickly make decisions on the GDPR and be responsible for them.

What benefits will your company ultimately receive?

  • time saving (experienced DPO will make a decision in 5 minutes, where unqualified employees may think about it for a month);
  • guarantee of correct decisions (avoiding errors and misinterpretations of the Regulation);
  • avoidance of sanctions by supervisory authorities (the DPO is able and knows how to communicate with them, what documents to provide them, even if your company has not yet met all the requirements of the Regulation);
  • avoid the difficulties and costs of recruiting, adapting and retaining an employee in the DPO position;
  • an external DPO is free from possible conflict of interest and remains objective;
  • according to the Pareto principle, every minute of an outsourcing specialist’s time is spent most efficiently as 20% of her/his effort will provide 80% of the results;
  • no need to create a separate workplace, to provide social benefits, or to introduce a new person to an already cohesive team. Outsourced DPO will not go on vacation, will not take time off, and will not be absent due to illness.

The benefits of our service

Transfer personal and organizational responsibility for the GDPR to competent professionals and a specialized company:

      1. According to Article 37 of the GDPR, Data Protection Officers should have specific competencies, including “expert knowledge of data protection law and practices”. Our DPOs have international certificates CIPP/E (Certified Information Privacy Professional/Europe) and CIPM (Certified Information Privacy Manager);
      2. Our DPO team is based in 3 countries, speaks 5 languages, including Russian, English and German, and are well-versed in the specifics of the CIS region;
      3. By purchasing DPO from us, you get not just one specialist, but a whole team. The expertise of our employees in the field of law, cyber security, development of information systems and software is essential for most companies;
      4. Since the introduction of the GDPR inevitably entails the optimization of some of the company's business processes, a DPO is required a rare set of competencies in the areas of privacy, management, IT, which our specialists possess. For example, Siarhei Varankevich has both certificates and experience in the GDPR, as well as a European MBA and experience in managing his own business;
      5. We have gained extensive experience in implementing the GDPR in companies of various levels of maturity and business areas (banks, airlines, manufacturing companies, online stores, social networks, mobile application developers, IT startups, pharmaceutical companies, cloud services), both in the CIS and and EU countries;
      6. Our DPOs are constantly improving their professional level and gaining best practices from all over the world, participating in international conferences and being members of the international network of experts of the International Association of Privacy Professionals;
      7. The work of our consultants is based on the globally recognized Nymity Privacy Accountability Framework. Our company is the only Nymity partner in the CIS.

And most importantly: our experts sincerely love and cherish their work, unlike the employee who has been assigned to deal with the GDPR, and for whom it is “another headache”.

Available specialists

Siarhei Varankevich CIPP/E, CIPM, MBA
Siarhei Varankevich CIPP/E, CIPM, MBA
Certified Information Privacy Professional / Europe (CIPP/E) certification MBA IGC Bremen University of Applied Sciences Certified Information Privacy Manager (CIPM) certification
Co-Founder & CEO of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
MBA, Certified Information Privacy Professional (CIPP/E), Certified Information Privacy Manager (CIPM). Started to work with the GDPR draft version, in 2015, in Munich. Defended his MBA thesis about the Regulation, in Bremen, in 2016
Olga Zavalniuk CIPP/E, CIPP/US
Olga Zavalniuk CIPP/E, CIPP/US
Certified Information Privacy Professional / Europe (CIPP/E) certification Certified Information Privacy Professional / США (CIPP/US) certification GDPR Data Privacy Professional (GDPR DPP)
Senior Consultant DPO LLC, Data Protection Officer
Expert in Data Privacy, Certified Information Privacy Professional (CIPP/E & CIPP/US - Europe & United States), member of International Association of Privacy Professionals (IAPP)
Maria Arnst CIPM
Maria Arnst CIPM, TÜV
Certified Information Privacy Manager (CIPM) certification TUV Certified Data Protection Officer
GDPR Consultant
Certified Information Privacy Manager (international IAPP certification) with experience of being a Data Protection Officer for European companies, including those focused on privacy and data security. Certified as DPO by TÜV. TÜV is Germany's leading and one of the world's leading independent testing and certification services group

How does it work?

A DPO should be appointed, according to the Regulation, as long as the main activity of your company falls under Article 37 of the GDPR, that is in fact on a permanent basis.

We conclude contracts for outsourcing this role for 1 or 2 years. And extend them, if necessary.

Such a long period is necessary because our DPOs usually begin their work by bringing your company in line with the GDPR. This task alone can take several years, subject to the active cooperation of your staff. Therefore, we recommend starting cooperation with the “Full” service package.

In the future, a DPO will be required for all changes in the company, for example, a new project, process or branch, new employees or contractors. But her/his involvement may be lower, and fewer hours of work will be required.

Stages of our DPO outsourcing:

    1. Familiarization with the activities of your company and audit of the current situation. GDPR non-compliance analysis (gap-analysis).
    2. Bringing your company to an acceptable level.
    3. Maintaining the achieved level of compliance. Aligning emerging projects and processes.

How much does it cost?

Hours per year60120180
€ per hour




Formatremotelyremotelyremotely and on site
Reportsannuallyannuallyannually and quarterly
Gift 1GDPR Aware training for 3 hours, up to 200 persons (€1000)GDPR Aware training for 3 hours, up to 200 persons (€1000)
Gift 2GDPR Data Privacy Technologist (GDPR DPT) training up to 20 persons (€4000)
Annual internal audit+
PaymentFor 1 yearquarterlyquarterly

Work description

Development and monitoring of the implementation plan to bring your company in line with the GDPR
Communication with regulatory authorities in any EU and CIS countries
Consideration of data subjects' requests (complaints, inquiries, clarifications…)
GDPR compliance analysis (gap-analysis)
Maintaining a register of treatments in accordance with Article 30 of the GDPR
Providing advice and support
Regularly update privacy policies and procedures
Preparation for certification under Article 42 of the GDPR (after its establishment by the authorities)
Development and update of documentation and policies on personal data protection
Conducting DPIA (Data Protection Impact Assessment) for risky processes
Management of compliance of external partners and suppliers with the Regulation (vendor management)
Management of personal data leaks and notifications of data subjects and supervisory authorities in accordance with Articles 33-34 of the GDPR


Preliminary consultation