Data Protection Officer Outsourcing

1. You have spent a lot of time, but you are still unable to distinguish the important from the secondary?
2. Do you spend a lot of time and energy on every decision?
3. Do employees, including the DPO, postpone tasks on personal data “for later” because they have more urgent responsibilities?
4. Do you want to appoint an efficient DPO in order to gradually bring your company in line with the GDPR?
5. Are you acting blindly due to lack of experience?
6. Is your company in desperate need of a DPO (Data Protection Officer) under Article 37 of the GDPR, but there are no specialists in the labour market with the relevant competence available?
7. You have trained an employee to work with the GDPR, but s/he is  now leaving for another company for a higher salary?
8. You are worried that your company will have to deal with the supervisory authority in the foreseeable future, but no one in your company wants to take responsibility for the GDPR compliance?
9. You are already doing your best to comply with the GDPR requirements, but you do not know if what you are doing is right?

The GDPR requires the appointment of a DPO (Data Protection Officer), i.e. a person responsible for the protection of personal data in cases where your company, by the nature of its activity:

1. Regularly and systematically monitors data subjects on a large scale, for example by means of video surveillance cameras, location, or  tracking;
2. Handles a wide range of sensitive data, in particular related to health, genetics, biometrics, and information from which racial or ethnic origin, political views, religious or philosophical views can be identified.

Entrust DPO responsibility with certified professionals to comply
with Article 37 of the GDPR and become GDPR-compliant!

Order

It is good to have a competent DPO on staff, as:

1.   She / he knows the processes within the organization well;
2.   She / he is easily reachable;
3.  Information and knowledge DPO gains access to remain within the organization

However, there are very few competent DPOs available for hire. According to some estimates, in the EU alone, it is now necessary to hire more than 75,000 full-time DPOs. Trained specialists are sorely lacking even in Western Europe.

Therefore, domestic companies often appoint a member of their existing staff to act as a DPO, increasing the employee’s workload, as well as investing considerable time and money in  GDPR training, such as our Data Privacy Professional course.

At the same time, there is always a risk that the DPO trained with your resources will leave you for another company, where s/he  has been offered better conditions.

It is also  common  for an employee, assigned as a part-time DPO, to postpone personal data tasks to focus on her/ his  main job in the company.

Let’s say an information security officer takes on the role of company’s DPO.  Most likely due to her/his  main area of expertise, such DPO will be primarily concerned with technical measures related to information security, rather than informing data subjects about personal data collected by the company. And s/he  will certainly not be able to correctly draft documents such as a privacy policy or a contract with a data processor.

A lawyer appointed as a Data Protection Officer, on the other hand, might handle the task of drafting necessary documents better but fail at implementing technical measures that s/he  does not understand.

In accordance with the Regulation, the DPO function can be outsourced.

This is often the most profitable solution, as you get an experienced and competent specialist who is able to make GDPR related decisions quickly and can be held accountable for them.

What benefits will your company gain as a result?

1. Time saving (experienced DPO will be able to make a decision way quicker  than an unqualified employee forced into the DPO role);
2. Insurance that decisions made will be correct(free from factual errors and misinterpretation of the Regulation provisions);
3. Avoidance of  sanctions by supervisory authorities (the DPO is able and knows how to communicate with the supervisory authority, what documents the company needs to provide  , even if your company has not yet met all the requirements of the Regulation);
4. Mitigation of the difficulties and costs of recruiting, on boarding and retaining an employee in the DPO position;
5. An external DPO is free from possible conflict of interest and remains objective;
6. There is no need to create a separate workplace,  provide social benefits, or  introduce a new person to an already cohesive team. The outsourced DPO will not go on vacation, take time off, or be absent due to illness.

Transfer personal and organizational responsibility for the GDPR related tasks to competent professionals and a specialized company:

1. 1. 1. According to Article 37 of the GDPR, Data Protection Officers should have specific competencies, including “expert knowledge of data protection law and practices”. Our DPOs have international certificates:  CIPP/E (Certified Information Privacy Professional/Europe) and CIPM (Certified Information Privacy Manager);
      2. Our DPO team is based in 3 countries, speaks 5 languages, including Russian, English and German, and is well-versed in the specifics of the CIS region;
      3. By purchasing the DPO outsource service from us , you get not just one specialist, but a whole team. The expertise of our employees in law, , cyber security, information systems and software development is essential for most companies;
      4. Since achieving GDPR compliance inevitably entails  optimization of some of the company's business processes, a DPO is required a rare set of competencies in the various field of expertise, such as  privacy, management, IT, etc. which our specialists possess. For example, Siarhei Varankevich is a certified GDPR specialist with unique skills and experience in bringing companies to compliance with the GDPR, as well as a European MBA and experience in managing his own business;
      5. We have gained  extensive experience in implementing the GDPR in companies of various levels of maturity and business areas (banks, airlines, manufacturing companies, online stores, social networks, mobile application developers, IT start-ups, pharmaceutical companies, cloud service providers), both in the EU and CIS countries;
      6. Our DPOs constantly develop their skills and acquire best practices from all over the world by participating in international conferences and being members of the International Association of Privacy Professionals;
      7. The work of our consultants is based on the globally recognized Nymity Privacy Accountability Framework. 

And most importantly: our experts genuinely love and cherish their work, unlike the employee who has been assigned to deal with the GDPR, and for whom it is just “another headache”.

Order

A DPO should be appointed, according to the Regulation for as long as the main activity of your company falls under Article 37 of the GDPR.

We conclude contracts for outsourcing this role for 1 or 2 years. And extend them as necessary.

Such a long period of time  is necessary because our DPOs usually begin their work by bringing your company into compliance with the GDPR. This task alone can take several years, subject to the active cooperation of your staff. Therefore, we recommend that you order   the “Full” service package.

Going forward, a DPO will be required for any changes in the company, such as, a new project, process or branch, new employees or contractors. But her/his  involvement may be lower, and fewer hours of work will be required.

Stages of our DPO outsourcing.

Step 1.

Getting acquainted with the activities of your company and audit of the current situation. GDPR non-compliance analysis (gap-analysis).

Step 2.

Bringing your company to an acceptable level.

Step 3.

Maintaining the achieved level of compliance. Aligning emerging projects and processes.