“Data protection governance and oversight”
The General Data Protection Regulations (GDPR) refer to the appointment of a data protection officer (DPO).
For public authorities (except for courts acting in their judicial capacity) it is mandatory to appoint a DPO, as it is for any organisation:
- carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
- carrying out large scale processing of special categories of data or data relating to criminal convictions and offences.
Otherwise businesses must ensure that their organisation has sufficient staff and skills to discharge their obligations under the GDPR and so they may appoint a DPO if that helps them meet this criteria.
DPO’s must have professional experience and knowledge of data protection law. This should be proportionate to the type of processing the organisation carries out, taking into consideration the level of protection the personal data requires.
The DPO’s minimum tasks are defined in Article 39:
- To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
- To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
- To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).
- Report to the highest management level of the organisation – i.e. board level.
- Be able to operate independently and not be dismissed or penalised for performing their task.
- have adequate resources provided to enable them to meet their GDPR obligations.
Naturally the role of DPO can be allocated to an existing employee, as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.
The good news is that there is nothing stopping the role being contracted out externally.
Crimson Crab can act as your DPO. We shape our service for your organisation to help you meet the GDPR’s mandatory requirements:
Inform and advise you of your legal obligations regarding data protection and keep you up to date with information on;
• The latest Data Protection practices
• Changes in the law and consultations
• Details of conferences and events held by the Information Commissioners Office (ICO)
• Results of ICO enforcement action
• Frequently asked questions
Monitor compliance with GDPR and with data protection policies and processes;
• Initial DPO compliance assessment
• Periodic re-assessments with reporting on progress and risk
• Specific remediation advice
• Induction training for new members of the team
• Update training (as identified) for all team members
• Annual competence assessment in Data Protection and Information Security
Provide advice on, and the infrastructure for the management of data protection impact assessment (DPIA) and, where requested, manage their performance at a discounted rate from our normal consultancy fees i.e.;
• Monitoring of risks identified
• Advice for remediation and identified training
• Periodic re-assessment as required
Be the primary point of contact for the ICO. Where additional work is required this can be carried out at a discounted rate from our normal consultancy fees i.e.;
• DPIA requests
• Data subject complaints
• Working with ICO audits or inspections
Managing and monitoring the processes for Data subject rights requests;
• Respond to subject access requests (SAR’s)
• Co-ordinate deletion requests
Having regard to the risk associated with processing operations;
• Design and organisation of “records of processing”
• Access and maintenance of the Data Privacy Risk Register
• Reporting and managing of identified risks
Along with the above the service includes;
• Telephone and e-mail support with a rapid response (subject to a fair use policy – maximum of one hour per month)
The cost of providing this service is based on the number of employees and is spread over 12 months as follows;
- 1 or 2 personnel £100/month
- 3 to 10 personnel £230/ month
- 11 to 20 personnel £250/month
- 21 to 30 personnel £270/month
- 31 to 40 personnel £290/month
- 41 to 50 personnel £310/month
- Over 50 personnel Price on application
Please note that reasonable travelling expenses are not included.
A number of the elements of the services can be provided on a standalone basis