Interim Data Protection Officers for GDPR

Interim Data Protection Officers for GDPR

AiM provides interim Data Protection Officers for GDPR.  This is a cost-effective solution for those organisations for which a full-time and permanent DPO is not appropriate.

Article 37 of the GDPR states that the controller and the processor shall designate a data protection officer in any case where:

  1. the processing is carried out by a public authority or body;
  2. the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

In addition, the article also states that the Data Protection Officer (DPO) shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks required.

However, the GDPR does allow for a single DPO covering a number of jurisdictions, as long at they are easily accessible from each establishment, or a single DPO can cover multiple bodies.  Also, the DPO may be outsourced, or may be a member of the data controller or processors team, as long as there is no conflict of interest.

This allows a company to fill their DPO role in the most expedient way, and provides an opportunity to use an outsourced or interim DPO.  The interim role holder will have wide experience of setting up the mechanisms which will be used within the company in an ongoing basis.  The position may initially require significant input, but as the structures are put in place, input will be reduced, and a permanent role holder can take over the responsibilities.

Key responsibilities include:

  • Compilation of data inventories and maps;
  • Determination of the legal bases for processing data;
  • Recommendations for data minimisation;
  • Recommendations for actions required to fulfil data subjects rights;
  • Risk assessments;
  • Data protection impact assessments;
  • Recommendations re changes to policies and processes, privacy notices; and
  • Recommendations re information security.

 

Contact us to find out if an interim DPO is right for your organisation.

Click here to find out more about our GDPR services.

Find out more about AiM’s GDPR training courses here.