GDPR Data protection officer as a service for tech companies

Who is the data protection officer? 

The data protection officer is a person (in-house or an outsourced specialist) helping your organisation remain compliant with the GDPR (and national data protection laws). 

This position became mandatory in the EU after some Member States had introduced Directive 95/46/EC (the predecessor of the GDPR) into their national law and added their own mandatory criteria on top of the Directive. 

A data protection officer is not a regular employee but an independent observer of the route the organisation takes: they watch the data processing, provide advice, report the incidents and faults, and help the data subjects (meaning the individuals whose data the organisation is processing) to meet the legal requirements. The DPO must not have a conflict of interest (for example, be the Head of Risk Assessment or Head of Information Security and the data protection officer at the same time) but have enough resources (access to processing operations, personnel, time and money for further study) to operate independently. 

The DPO cannot be held responsible for their advice (if the advice was not misleading or presented as malpractice). The DPO must not decide how the data will be processed: they only advise and provide the necessary information. 

What does the data protection officer do? 

Data Protection Officer handles all data protection issues from the point of an independent arbitrary: this position is the privacy advocate aware of this particular company’s true intentions and capabilities. 

Both the data controller and data processor must designate a DPO if the criteria set forth by the law are met. 

Privacity as your DPO

DPO is an indispensable counsel when it comes to translating the regulatory and consumer protection language into business talk:

• helps the legal department to draft correct and all-encompassing data protection policies and registries;
• help the frontend team to publish correct notices, layer them properly, and design them; 
• advises the backend and full-stack teams on how to befriend the interface and the database and how to design the systems and networks to enable other teams to exercise the data subject rights; 
• works with the tech support team to smoothen the request handling procedures; 
• participates in HR and talent management by providing the onboarding and awareness procedures, as well as competence checks; 
• reviews marketing and sales strategies from the data protection point of view and helps assess and procure GDPR-compliant service and product vendors; 
• advice the teams during the data protection impact assessments; 
• reports to the top management about the data protection metrics and concerns; and
• contacts the data subjects expressing concerns about their privacy and handling of their personal data. 

During the “Privacity Chronicles” episode, we discussed the crucial role of a Data Protection Officer (DPO) within a global corporation.

Must we have a data protection officer in our organisation? 

Designation of the DPO can be mandatory by the law of your state or country. Check whether you must do so if you:

• process large numbers of data; 
• process sensitive data; 
• process data on behalf of the state or public authority; 
• conduct regular and systematic monitoring of individuals; 
• process data about criminal convictions and offences or relating to children.

Article 37 of the GDPR provides the following criteria for a mandatory designation of the DPO: 

At least one match of the list will suffice to trigger the obligation.

• the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
• the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
• the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal 
•  data relating to criminal convictions and offences referred to in Article 10.

Germany requires the companies to appoint a DPO if, in addition to the Article 37 GDPR: 

• they constantly employ, as a rule, at least 20 persons dealing with the automated processing of personal data;
• they were legally obliged to perform the data protection impact assessment; 
• they commercially process personal data for the purpose of transfer, of anonymized transfer or for purposes of market or opinion research. 

How to designate a data protection officer? 

If your DPO is an in-house specialist, then you should grant them authorisation to act as one by your local company-wide act. Consult your legal department to learn how it is done.

Often, companies hire an independent contractor to act as their DPO to exclude conflict of interest. Then the company and the DPO sign a service agreement describing the scope of service and other terms, confidentiality, and a data processing agreement if necessary. 

At Privacity, we personify the Data Protection Officer (DPO) role through our profound understanding of GDPR and various data protection regulations. Our team’s proficiency is underscored by our CIPP/E certifications, which serve as a testament to our unwavering dedication to upholding the utmost standards in data protection. Furthermore, we have a well-documented history of guiding numerous organizations to sustain GDPR compliance, establishing us as the premier choice for safeguarding data and guaranteeing impeccable privacy protection.

The best time to appoint a DPO is now!