Data Protection Officer Outsourcing

Transfer personal and organizational responsibility for GDPR to competent professionals and a specialized company.

 

 

 

  1. Wasting a lot of time and can't distinguish the important from the secondary?
  2. Do you spend a lot of time and energy on every decision?
  3. Do employees, including the DPO, postpone tasks on personal data “for later” because they have more urgent responsibilities?
  4. Do you want to appoint an efficient DPO in order to gradually bring your company in line with the GDPR?
  5. Are you acting blindly due to a lack of experience?
  6. Is your company in desperate need of a DPO (Data Protection Officer) under Article 37 of the GDPR, but there are no specialists in the labour market with the relevant competence available?
  7. You have trained an employee to work with the GDPR, but s/he is  now leaving for another company for a higher salary?
  8. You are worried that your company will have to deal with the supervisory authority in the foreseeable future, but no one in your company wants to take responsibility for the GDPR compliance?
  9. You are already doing your best to comply with the GDPR requirements, but you do not know if what you are doing is right?

Do you need a DPO?

 

The GDPR requires the appointment of a DPO (Data Protection Officer), i.e. a person responsible for the protection of personal data in cases where your company, by the nature of its activity:

  1. Regularly and systematically monitors data subjects on a large scale, for example by means of video surveillance cameras, location, or  tracking;
  2. Handles a wide range of sensitive data, in particular related to health, genetics, biometrics, and information from which racial or ethnic origin, political views, religious or philosophical views can be identified.

 

A DPO is needed so that all processes for protecting personal data have a single owner (process owner), who coordinates the efforts of many departments and is responsible for it. In addition, a DPO will be able to help the organization in maintaining its GDPR compliance as:

  • new processes and projects with personal data are introduced;
  • the structure of the organization is changing with new departments and divisions, branches and representative offices, where you need to configure the process of protecting personal data again;
  • new untrained employees who may violate the Regulation out of ignorance;
  • new Data Processing Agreements with customers or contractors are signed.
More
Hide

Entrust DPO responsibility with certified professionals to comply
with Article 37 of the GDPR and become GDPR-compliant!

 

Order

In-house DPO

It is good to have a competent DPO on staff, as:

  1.   She / he knows the processes within the organization well;
  2.   She / he is easily reachable;
  3.  Information and knowledge DPO gains access to remain within the organization

 

However, there are very few competent DPOs available for hire. According to some estimates, in the EU alone, it is now necessary to hire more than 75,000 full-time DPOs. Trained specialists are sorely lacking even in Western Europe.

Therefore, domestic companies often appoint a member of their existing staff to act as a DPO, increasing the employee’s workload, as well as investing considerable time and money in  GDPR training, such as our Data Privacy Professional course.

At the same time, there is always a risk that the DPO trained with your resources will leave you for another company, where s/he  has been offered better conditions.

It is also  common  for an employee, assigned as a part-time DPO, to postpone personal data tasks to focus on her/ his  main job in the company.

Let’s say an information security officer takes on the role of the company’s DPO.  Most likely due to her/his main area of expertise, such DPO will be primarily concerned with technical measures related to information security, rather than informing data subjects about personal data collected by the company. And s/he will certainly not be able to correctly draft documents such as a privacy policy or a contract with a data processor.

A lawyer appointed as a Data Protection Officer, on the other hand, might handle the task of drafting necessary documents better but fail at implementing technical measures that s/he  does not understand.

DPO outsourcing

In accordance with the Regulation, the DPO function can be outsourced.

This is often the most profitable solution, as you get an experienced and competent specialist who is able to make GDPR related decisions quickly and can be held accountable for them.

 

What benefits will your company gain as a result?

  1. Time saving (experienced DPO will be able to make a decision way quicker  than an unqualified employee forced into the DPO role);
  2. Insurance that decisions made will be correct (free from factual errors and misinterpretation of the Regulation provisions);
  3. Avoidance of  sanctions by supervisory authorities (the DPO is able and knows how to communicate with the supervisory authority, what documents the company needs to provide  , even if your company has not yet met all the requirements of the Regulation);
  4. Mitigation of the difficulties and costs of recruiting, onboarding, and retaining an employee in the DPO position;
  5. An external DPO is free from possible conflict of interest and remains objective;
  6. There is no need to create a separate workplace,  provide social benefits, or  introduce a new person to an already cohesive team. The outsourced DPO will not go on vacation, take time off, or be absent due to illness.

The benefits of our service

Transfer personal and organizational responsibility for the GDPR related tasks to competent professionals and a specialized company:

 

      1. According to Article 37 of the GDPR, Data Protection Officers should have specific competencies, including “expert knowledge of data protection law and practices”. Our DPOs have international certificates:  CIPP/E (Certified Information Privacy Professional/Europe) and CIPM (Certified Information Privacy Manager);
      2. Our DPO team is based in 3 countries, speaks 5 languages, including Russian, English, and German, and is well-versed in the specifics of the CIS region;
      3. By purchasing the DPO outsource service from us , you get not just one specialist, but a whole team. The expertise of our employees in law, , cyber security, information systems and software development is essential for most companies;
      4. Since achieving GDPR compliance inevitably entails  optimization of some of the company's business processes, a DPO is required a rare set of competencies in the various field of expertise, such as  privacy, management, IT, etc. which our specialists possess. For example, Siarhei Varankevich is a certified GDPR specialist with unique skills and experience in bringing companies to compliance with the GDPR, as well as a European MBA and experience in managing his own business;
      5. We have gained  extensive experience in implementing the GDPR in companies of various levels of maturity and business areas (banks, airlines, manufacturing companies, online stores, social networks, mobile application developers, IT start-ups, pharmaceutical companies, cloud service providers), both in the EU and CIS countries;
      6. Our DPOs constantly develop their skills and acquire best practices from all over the world by participating in international conferences and being members of the International Association of Privacy Professionals;
      7. The work of our consultants is based on the globally recognized Nymity Privacy Accountability Framework. 

 

And most importantly: our experts genuinely love and cherish their work, unlike the employee who has been assigned to deal with the GDPR, and for whom it is just “another headache”.

 

Order

Available specialists

Maria Arnst CIPM
Maria Arnst CIPM, TÜV, Strategic Privacy by Design, DPP
Data Protection Officer, GDPR Consultant, Privacy researcher
Certified Information Privacy Manager, member of International Association of Privacy Professionals with experience of being a Data Protection Officer for European companies, including those focused on privacy and data security. Certified as Data Protection Officer by TÜV (Germany's leading and one of the world's leading independent testing and certification services group), trained in Strategic Privacy by Design.
Елена Себякина
Elena Sebyakina CIPP/E, Privacy by design; GDPR DPP, DPM, DPT
Data Protection Officer, GDPR Consultant
Since 2014, Elena has specialized on privacy. Till June 2020 she was a Global DPO in an international IT company, where she implemented GDPR processes and principles in all main processes of the group. Under Elena’s supervision was developed a web portal for collection of electronic consents and processing of DSRs; the process of handling of Personal data breaches.
Siarhei Varankevich
Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
Founder of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
MBA, Certified Information Privacy Professional (CIPP/E), Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT). Started to work with the GDPR draft version, in 2015, in Munich. Defended his MBA thesis about the Regulation, in Bremen, in 2016. In 2020, he was awarded the title of IAPP Fellow of Information Privacy (FIP) thanks to the recommendations of respected experts.

How does it work?

A DPO should be appointed, according to the Regulation for as long as the main activity of your company falls under Article 37 of the GDPR.

We conclude contracts for outsourcing this role for 1 or 2 years. And extend them as necessary.

Such a long period of time  is necessary because our DPOs usually begin their work by bringing your company into compliance with the GDPR. This task alone can take several years, subject to the active cooperation of your staff. Therefore, we recommend that you order   the “Full” service package.

Going forward, a DPO will be required for any changes in the company, such as a new project, process or branch, new employees or contractors. But her/his involvement may be lower, and fewer hours of work will be required.

 

Stages of our DPO outsourcing.

 

Step 1.

Getting acquainted with the activities of your company and audit of the current situation. GDPR non-compliance analysis (gap-analysis).

Step 2.

Bringing your company to an acceptable level.

Step 3.

Maintaining the achieved level of compliance. Aligning emerging projects and processes.

How much does it cost?

Hours per year
Format
Reports
Gift 1
Gift 2
Annual internal audit
Payment
Min Order
Hours per year
60
Format
remotely
Reports
annually
Gift 1
-
Gift 2
-
Annual internal audit
-
Payment
For 1 year
Standard Order
Hours per year
120
Format
remotely
Reports
annually
Gift 1
GDPR Aware for 200 persons
Gift 2
-
Annual internal audit
-
Payment
quarterly
Full Order
Hours per year
180
Format
remotely and on site
Reports
annually and quarterly
Gift 1
GDPR Aware for 200 persons
Gift 2
GDPR DPT for 20 persons
Annual internal audit
+
Payment
quarterly

Work description

Development and oversight of the implementation of a plan to bring your company into compliance with the GDPR
Communication with supervisory authorities in any EU or CIS country
Handling requests from data subjects (complaints, inquiries, clarifications…)
GDPR non-compliance analysis (gap-analysis)
Maintaining a register of treatments in accordance with Article 30 of the GDPR
Providing advice and support
Regular updating of the personal data protection policies and procedures
Preparing for GDPRArticle 42 certification (if established by the authorities)
Development and update of documentation and policies on personal data protection
Conducting DPIA (Data Protection Impact Assessment) for risky processes
Conducting DPIA (Data Protection Impact Assessment) for risky processes
Management of personal data breaches and notifications of data subjects and supervisory authorities in accordance with Articles 33-34 of the GDPR

Order










    The course is loading, wait a few seconds