EXTERNAL DATA PROTECTION OFFICER (DPO)
When appointing a Data Protection Officer (DPO), many organizations find that their employees lack the necessary expertise and familiarity with data protection legislation, or simply do not have enough time due to their existing responsibilites.
The GDPR permits organizations to entrust the role of Data Protection Officer (DPO) to an external contractor. Mikrocop offers you the opportunity to contract an external DPO who has legal expertise, in-depth knowledge of the GDPR, and extensive experience in personal data protection.
WHAT DOES AN EXTERNAL DPO DO?
the compliance of personal data processing and protection with legislation and company policies.
you about your obligations under the GDPR and other personal data protection laws.
your employees involved in personal data processing and raises their awareness.
and assists in the assessment of personal data security risks.
with the Information Commissioner and is a contact point for data processing related issues.
annual reviews of your company's personal data processing and proposes improvements.
in handling the data subject's requests to exercise the rights provided by the legislation.
on Legitimate Interest Assessments to justify data processing.
with performance monitoring of your outsourced personal data processors, documentation and training...
REASONS TO APPOINT AN EXTERNAL DPO
An external DPO offers independent counselling in relation to the processing and protection of personal data and strives to maintain the overall consistency of personal data protection.
According to the GDPR, DPOs may not be employed in a position where they are able to define the purposes and means of personal data processing. Given the above, executives, heads of operations, IT, HR or Marketing cannot serve as a DPO, as this would create a conflict of interest.
When such a situation arises, the best solution is to appoint an external DPO, as provided by Mikrocop. This ensures a simple and efficient way to avoid having to deal with conflict of interest issues.
It is important that a DPO is well aware of Slovenian and European legislation and has an in-depth understanding of the GDPR as well as experience in the field of personal data protection. In addition, a DPO must understand the data controller’s operations and organization, the data processing IT systems and processes, and the relevant personal data protection requirements.
A DPO uses a combination of in-depth knowledge and experience in a range of fields, for whom day-to-day practice is more than a routine matter. A problem may arise when your organization currently does not employ such a person and there is a dilemma over whether it is sensible to recruit a new employee into the role of DPO. We are here to provide you with an alternative to training a member of your staff or employing a new person: appoint an external DPO.
A DPO has to regularly monitor new developments in the law and in personal data protection practices. Employees are often so busy with their day-to-day obligations that they are unable to find time for further education and training.
Acquiring special qualifications or certificates confirming the necessary expertise in the field of personal data protection also requires financial outlays. This is just one more reason to simply hire an external DPO.
BENEFITS OF HIRING AN EXTERNAL DPO
We offer a high level of expertise that is continuously updated and upgraded.
We provide full-service cost-effective consulting based on credible experience.
We maintain our independence to ensure our credibility and security for our clients.
We've been successfully cooperating with Mikrocop's team on personal data protection since 2014. Their professionalism and expertise are second to none. Ensuring GDPR compliance is definitely a complex task, but quite manageable with a systematic approach and a reliable partner.
– Vanja Lombar, Director, OMV Slovenija
In addition to public authorities, the following must also appoint a DPO:
- legal entities whose core activities consist of processing operations that require regular and systematic monitoring of the data of data subjects, e.g. banks, insurance companies, electronic communications operators, retailers with customer loyalty programs, recruitment agencies, online stores, and IT companies that operate CRM systems...
- legal entities that process health data or any other type of sensitive data (special category of personal data), e.g hospitals and clinics, health and social care institutions, and providers of health information systems and services.
A Legitimate Interest Assessment (LIA) justifies the need for personal data processing by identifying a company's reasons for processing. The LIA assesses whether a legitimate interest for data processing exists, establishes whether the processing is 'necessary' and investigates whether the legitimate interest is overridden by the fundamental rights and freedoms of the data subject.