Data Protection Officer (DPO)

The function of the Data Protection Officer (DPO) has been introduced by the GDPR. Not every entity that processes personal data needs to appoint a DPO, but every one should consider benefits of having such an officer in their organisation. A DPO may be someone from within your organisation, but it is safer and more cost-effective to outsource this function to a person who has experience and knowledge in this field.

An external DPO has the following responsibilities:

• inform and advise the client and his employees who process personal data on their obligations under the GDPR and other EU or Member States' data protection laws;
• carry out regular data protection audits and ad-hoc audits upon learning about a data security incident or a justified suspicion of such an incident, ended with a report and a list of recommendations;
• supervise the observance and updates of data protection and data processing policies;
• keep the knowledge on personal data protection up-to-date by organising training courses for middle and top management, employees and contractors;
• participate in evaluating business processes in terms of compliance with data protection laws, including development of training rules for new employees;
• provide opinions on clauses, regulations or other documents in terms of their compliance with data protection laws;
• pay regular visits to monitor on an ongoing basis the compliance with the GDPR and other data protection laws related to the client's business (including gathering information to identify the processing procedures, analysing and verifying compliance of the processing, informing, advising and providing recommendations to the management/organisation as to certain personal data operations);
• supervise the handling of data protection incidents;
• cooperate with the President of the Personal Data Protection Office, including prior consultations with the authorities; participate in inspections, provide explanations, provide documents and information to fulfil the Data Protection Officer function;
• act as a point of contact for data subjects, including preparing proposals of replies for data subjects in matters related to personal data processing;
• supervise how a record of processing activities is maintained and breaches of personal data protection are documented;
• support the client's employees on a daily basis in personal data processing;
• provide recommendations at the request of the client as regards the data protection impact assessment and monitor their implementation in accordance with Article 35 GDPR;
• advise the client on technical and organisational matters connected with personal data security.