Data Protection Officer Outsourcing

Transfer personal and organizational responsibility for GDPR to competent professionals and a specialized company.




  1. Wasting a lot of time and can't distinguish the important from the secondary?
  2. Do you spend a lot of time and energy on every decision?
  3. Do employees, including the DPO, postpone tasks on personal data “for later” because they have more urgent responsibilities?
  4. Do you want to appoint an efficient DPO in order to gradually bring your company in line with the GDPR?
  5. Are you acting blindly due to a lack of experience?
  6. Is your company in desperate need of a DPO (Data Protection Officer) under Article 37 of the GDPR, but there are no specialists in the labour market with the relevant competence available?
  7. You have trained an employee to work with the GDPR, but s/he is  now leaving for another company for a higher salary?
  8. You are worried that your company will have to deal with the supervisory authority in the foreseeable future, but no one in your company wants to take responsibility for the GDPR compliance?
  9. You are already doing your best to comply with the GDPR requirements, but you do not know if what you are doing is right?

Do you need a DPO?


The GDPR requires the appointment of a DPO (Data Protection Officer), i.e. a person responsible for the protection of personal data in cases where your company, by the nature of its activity:

  1. Regularly and systematically monitors data subjects on a large scale, for example by means of video surveillance cameras, location, or  tracking;
  2. Handles a wide range of sensitive data, in particular related to health, genetics, biometrics, and information from which racial or ethnic origin, political views, religious or philosophical views can be identified.


A DPO is needed so that all processes for protecting personal data have a single owner (process owner), who coordinates the efforts of many departments and is responsible for it. In addition, a DPO will be able to help the organization in maintaining its GDPR compliance as:

  • new processes and projects with personal data are introduced;
  • the structure of the organization is changing with new departments and divisions, branches and representative offices, where you need to configure the process of protecting personal data again;
  • new untrained employees who may violate the Regulation out of ignorance;
  • new Data Processing Agreements with customers or contractors are signed.

Entrust certified professionals with DPO responsibility to comply

with Article 37 of the GDPR and become GDPR-compliant!



In-house DPO

It is good to have a competent DPO on staff, as:

  1.   She / he knows the processes within the organization well;
  2.   She / he is easily reachable;
  3.  Information and knowledge DPO gains access to remain within the organization


However, there are very few competent DPOs available for hire. According to some estimates, in the EU alone, it is now necessary to hire more than 75,000 full-time DPOs. Trained specialists are sorely lacking even in Western Europe.

Therefore, domestic companies often appoint a member of their existing staff to act as a DPO, increasing the employee’s workload, as well as investing considerable time and money in  GDPR training, such as our Data Privacy Professional course.

At the same time, there is always a risk that the DPO trained with your resources will leave you for another company, where s/he  has been offered better conditions.

It is also  common  for an employee, assigned as a part-time DPO, to postpone personal data tasks to focus on her/ his  main job in the company.

Let’s say an information security officer takes on the role of the company’s DPO.  Most likely due to her/his main area of expertise, such DPO will be primarily concerned with technical measures related to information security, rather than informing data subjects about personal data collected by the company. And s/he will certainly not be able to correctly draft documents such as a privacy policy or a contract with a data processor.

A lawyer appointed as a Data Protection Officer, on the other hand, might handle the task of drafting necessary documents better but fail at implementing technical measures that s/he  does not understand.

DPO outsourcing

In accordance with the Regulation, the DPO function can be outsourced.

This is often the most profitable solution, as you get an experienced and competent specialist who is able to make GDPR related decisions quickly and can be held accountable for them.


What benefits will your company gain as a result?

  1. Time saving (experienced DPO will be able to make a decision way quicker  than an unqualified employee forced into the DPO role);
  2. Insurance that decisions made will be correct (free from factual errors and misinterpretation of the Regulation provisions);
  3. Avoidance of  sanctions by supervisory authorities (the DPO is able and knows how to communicate with the supervisory authority, what documents the company needs to provide  , even if your company has not yet met all the requirements of the Regulation);
  4. Mitigation of the difficulties and costs of recruiting, onboarding, and retaining an employee in the DPO position;
  5. An external DPO is free from possible conflict of interest and remains objective;
  6. There is no need to create a separate workplace,  provide social benefits, or  introduce a new person to an already cohesive team. The outsourced DPO will not go on vacation, take time off, or be absent due to illness.

The benefits of our service

Transfer personal and organizational responsibility for the GDPR related tasks to competent professionals and a specialized company:


      1. According to Article 37 of the GDPR, Data Protection Officers should have specific competencies, including “expert knowledge of data protection law and practices”. Our DPOs have international certificates:  CIPP/E (Certified Information Privacy Professional/Europe) and CIPM (Certified Information Privacy Manager);
      2. Our DPO team is based in 3 countries, speaks 5 languages, including Russian, English, and German, and is well-versed in the specifics of the CIS region;
      3. By purchasing the DPO outsource service from us , you get not just one specialist, but a whole team. The expertise of our employees in law, , cyber security, information systems and software development is essential for most companies;
      4. Since achieving GDPR compliance inevitably entails  optimization of some of the company's business processes, a DPO is required a rare set of competencies in the various field of expertise, such as  privacy, management, IT, etc. which our specialists possess. For example, Siarhei Varankevich is a certified GDPR specialist with unique skills and experience in bringing companies to compliance with the GDPR, as well as a European MBA and experience in managing his own business;
      5. We have gained  extensive experience in implementing the GDPR in companies of various levels of maturity and business areas (banks, airlines, manufacturing companies, online stores, social networks, mobile application developers, IT start-ups, pharmaceutical companies, cloud service providers), both in the EU and CIS countries;
      6. Our DPOs constantly develop their skills and acquire best practices from all over the world by participating in international conferences and being members of the International Association of Privacy Professionals;
      7. The work of our consultants is based on the globally recognized Nymity Privacy Accountability Framework. 


And most importantly: our experts genuinely love and cherish their work, unlike the employee who has been assigned to deal with the GDPR, and for whom it is just “another headache”.



Available specialists

Елена Себякина
Elena Sebyakina CIPP/E, Privacy by design; GDPR DPP, DPM, DPT
Data Protection Officer, GDPR Consultant
Since 2014, Elena has specialized on privacy. Till June 2020 she was a Global DPO in an international IT company, where she implemented GDPR processes and principles in all main processes of the group. Under Elena’s supervision was developed a web portal for collection of electronic consents and processing of DSRs; the process of handling of Personal data breaches.
Сергей Воронкевич
Siarhei Varankevich CIPP/E, CIPM, CIPT, MBA, FIP
Founder of Data Privacy Office LLC. Data Protection Trainer and Principal Consultant
MBA, Certified Information Privacy Professional (CIPP/E), Certified Information Privacy Manager (CIPM), Certified Information Privacy Technologist (CIPT). Started to work with the GDPR draft version, in 2015, in Munich. Defended his MBA thesis about the Regulation, in Bremen, in 2016. In 2020, he was awarded the title of IAPP Fellow of Information Privacy (FIP) thanks to the recommendations of respected experts.
Надежда Грабовская
Nadzeya Hrabouskaya CIPP/E, GDPR DPP, GDPR DPM
GDPR Consultant
Nadzeya has experience in internal inventory of personal data, assessing data transfer, assessing the presence of a legitimate interest, assessing privacy risks, developing engineering recommendations in accordance with an understanding of the company's needs and internal constraints.
Ульяна Дергачева
Ulyana Dergacheva GDPR DPP, GDPR DPT, Privacy by Design
GDPR Junior Consultant
Ulyana specializes in creating privacy policies, RoPA, DPIA and LIA, she also conducts a Privacy by design session. In addition, he leads the Data Privacy Office content team. Ulyana took part in the creation of the privacy policy generation service DP Check.
Юлия Богданова
Yuliya Bahdanava LLB, GDPR DPP, GDPR DPM
GDPR Junior Consultant
Bachelor of Laws, GDPR Data Privacy Professional, GDPR Data Privacy Manager. Specializes in register of processing activities (RoPA) creation, auditing IT-products and documents and holding Privacy by Design sessions. Acts as assistant trainer of Data Privacy Professional course.
Анастасия Пархимович
Nastassia Parkhimovich LLM, CIPP/E, GDPR DPP
GDPR Consultant
Nastassia has successfully completed GDPR Data Privacy Professional course. She speaks English and German. As an in-house lawyer in IT-companies Nastassia took part in integration of GDPR rules and policies into software products to be marketed in the EU. Consulting editor of “Lawyer” journal.
Дарья Заграничнова
Daria Zagranichnova CIPP/E, GDPR DPP
GDPR Consultant
Lawyer, GDPR Data Privacy Professional. Daria has experience in conducting internal GDPR compliance audits of business processes, privacy risks assessments and negotiating data privacy agreements.
Louis-Philippe Gratton
Louis-Philippe Gratton PhD, LLM
Privacy Expert
Academic, lawyer (Québec Bar), Ph.D. (France), LL.M. (Canada and Switzerland). Worked in Canada, France, and Switzerland, including as a consultant on comparative privacy law for the Department of Justice of Québec. Fluent in French and English.

How does it work?

A DPO should be appointed, according to the Regulation for as long as the main activity of your company falls under Article 37 of the GDPR.

We conclude contracts for outsourcing this role for 1 or 2 years. And extend them as necessary.

Such a long period of time  is necessary because our DPOs usually begin their work by bringing your company into compliance with the GDPR. This task alone can take several years, subject to the active cooperation of your staff. Therefore, we recommend that you order   the “Full” service package.

Going forward, a DPO will be required for any changes in the company, such as a new project, process or branch, new employees or contractors. But her/his involvement may be lower, and fewer hours of work will be required.


Stages of our DPO outsourcing.


Step 1.

Getting acquainted with the activities of your company and audit of the current situation. GDPR non-compliance analysis (gap-analysis).

Step 2.

Bringing your company to an acceptable level.

Step 3.

Maintaining the achieved level of compliance. Aligning emerging projects and processes.

How much does it cost?

Hours per year
Gift 1
Gift 2
Annual internal audit
Min Order
Hours per year
Gift 1
Gift 2
Annual internal audit
For 1 year
Standard Order
Hours per year
Gift 1
GDPR Aware for 200 persons
Gift 2
Annual internal audit
Full Order
Hours per year
remotely and on site
annually and quarterly
Gift 1
GDPR Aware for 200 persons
Gift 2
GDPR DPT for 20 persons
Annual internal audit

Work description

Development and oversight of the implementation of a plan to bring your company into compliance with the GDPR
Communication with supervisory authorities in any EU or CIS country
Handling requests from data subjects (complaints, inquiries, clarifications…)
GDPR non-compliance analysis (gap-analysis)
Maintaining a register of treatments in accordance with Article 30 of the GDPR
Providing advice and support
Regular updating of the personal data protection policies and procedures
Preparing for GDPRArticle 42 certification (if established by the authorities)
Development and update of documentation and policies on personal data protection
Conducting DPIA (Data Protection Impact Assessment) for risky processes
Conducting DPIA (Data Protection Impact Assessment) for risky processes
Management of personal data breaches and notifications of data subjects and supervisory authorities in accordance with Articles 33-34 of the GDPR


    The course is loading, wait a few seconds