The GDPR requires the clear designation of a person who will oversee the controls and reporting for personal data in the organisation.
Not all organisations have the skillset or resource or time or perhaps the confidence to put in place an individual from within their own ranks. That’s where can be a really big help!
Ultimately, your organisation is a Data Controller and the buck stops with the Board (or equivalent) for managing compliance with the GDPR.
But, you can bring in expert support to help in satisfying the regulation for necessary controls and reporting. You sometimes hear of similar services being described as a ‘virtual DPO’.
In plain terms, our Virtual Data Protection Team adopts a data protection management support role in your organisation.
What is a DPO or DPL?
Article 37 of the GDPR sets out the conditions where an organisation must put a DPO in place and it’s down to each organisation to consider its own situation as to whether or not to appoint a DPO or otherwise to make alternative arrangements (such as a DPL, for example).
Articles 38 and 39 of the GDPR describe the requirements of the role of, specifically, a DPO, including their responsibilities, their expertise and that they not be conflicted with other roles in the organisation.
A DPO must have visibility of all of the personal data in an organisation. Bearing in mind that this will include staff salary information, health and wellbeing information on staff or even clients, as well as a wealth of confidential data relating to business and operations, the role of the DPO is almost inevitably given to someone at Board Level or otherwise a senior manager.
In the event that an organisation chooses to appoint a DPL (instead of a DPO) there is still a firm expectation that the organisation and its data protection lead representative will subscribe to the requirements in Articles 38 and 39.
What are the roles and responsibilities of a DPO/DPL?
DPOs are required to manage or report on aspects including:
- Developing systems and controls
- Reporting and monitoring
- Drafting key documents
- Staff training
- Managing Data Protection Impact Assessments
- Handling Data Subject Access Requests
- Dealing with data breaches
A DPO (or DPL) needs therefore, to have expert knowledge of data protection regulation as well as having a firm finger on the pulse of every stand of data protection controls in the organisation. And, they have to be no only approachable for staff and others, but they must actually be proactive in their approach to the development and training of staff to support their data protection responsibilities.
There is no doubt; it’s a very big role and a lot hangs on it.
How does the Databasix Virtual Data Protection Team service work?
Anybody can recite the law or regulation, but we also understand its application in everyday operational terms. The members of our team have conducted work on data protection controls, management or reporting with literally hundreds of organisations, from charities to law firms, from accountants to software developers, from healthcare organisations to educators, and almost everything in between.
We understand how personal data flows through organisations and the controls, monitoring and reporting that needs to take place.
Within our Virtual Data Protection Team service we will oversee all of the activities mentioned above in What are the roles and responsibilities of a DPO/DPL?
Imagine someone physically sitting in your offices, like a member of staff, or always on the end of the phone/email, proactively monitoring, reporting and guiding on all things data protection; that’s an accurate depiction of this service.
Our presence is very regular, appropriate to the needs of the organisation, and we will sit with or report to the Board or other senior management teams as required, to provide support and guidance at the highest operational level.
No two organisations' needs are the same and so we provide support tailored to their individual requirements. Get in touch for an tailored quote.