Data Protection Officer

For public authorities (except for courts acting in their judicial capacity) it is mandatory to appoint a Data Protection Officer (DPO), as it is for any organisation:

  • carrying out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carrying out large scale processing of special categories of data or data relating to criminal convictions and offences.

Otherwise businesses must ensure that their organisation has sufficient staff and skills to discharge their obligations under the GDPR and so they may appoint a DPO if that helps them meet this criteria.

DPO’s must have professional experience and knowledge of data protection law. This should be proportionate to the type of processing the organisation carries out, taking into consideration the level of protection the personal data requires.

The DPO’s minimum tasks are defined in Article 39:

  • To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
  • To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

They must:

  • Report to the highest management level of the organisation – i.e. board level.
  • Be able to operate independently and not be dismissed or penalised for performing their task.
  • have adequate resources provided to enable them to meet their GDPR obligations.

Naturally the role of DPO can be allocated to an existing employee, as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

The good news is that there is nothing stopping the role being contracted out externally.

Crimson Crab can act as your DPO. We shape our service for your organisation to help you meet the GDPR’s mandatory requirements:

Inform and advise you of your legal obligations regarding data protection and keep you up to date with information on;
• The latest Data Protection practices
• Changes in the law and consultations
• Details of conferences and events held by the Information Commissioners Office (ICO)
• Results of ICO enforcement action
• Frequently asked questions

Monitor compliance with GDPR and with data protection policies and processes;
• Initial DPO compliance assessment
• Periodic re-assessments with reporting on progress and risk
• Specific remediation advice

Provide training;
• Induction training for new members of the team
• Update training (as identified) for all team members
• Annual competence assessment in Data Protection and Information Security

Provide advice on, and the infrastructure for the management of data protection impact assessment (DPIA) and, where requested, manage their performance at a discounted rate from our normal consultancy fees i.e.;
• Monitoring of risks identified
• Advice for remediation and identified training
• Periodic re-assessment as required

Be the primary point of contact for the ICO. Where additional work is required this can be carried out at a discounted rate from our normal consultancy fees i.e.;
• DPIA requests
• Data subject complaints
• Working with ICO audits or inspections

Managing and monitoring the processes for Data subject rights requests;
• Respond to subject access requests (SAR’s)
• Co-ordinate deletion requests

Having regard to the risk associated with processing operations;
• Design and organisation of “records of processing”
• Access and maintenance of the Data Privacy Risk Register
• Reporting and managing of identified risks

Along with the above the service includes;
• Telephone and e-mail support with a rapid response (subject to a fair use policy – maximum of one hour per month)

The cost of providing this service is based on the number of employees and is spread over 12 months as follows;

  • 1 or 2 personnel £100/month
  • 3 to 10 personnel £230/ month
  • 11 to 20 personnel £250/month
  • 21 to 30 personnel £270/month
  • 31 to 40 personnel £290/month
  • 41 to 50 personnel £310/month
  • Over 50 personnel Price on application

Please note that reasonable travelling expenses are not included.

A number of the elements of the services can be provided on a standalone basis

If you would like Crimson Crab to act as your DPO please get in touch to find out more and get the ball rolling…