Outsourced DPO


We offer data protection officer services — we can be  your DPO.

Under the GDPR, you must appoint a data protection officer (DPO) if you:

  • are a public authority (except for courts acting in their judicial capacity);
  • carry out large scale systematic monitoring of individuals; or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.


It is recommended that private organisations carrying out public tasks or exercising public authority designate a DPO.


Those who must appoint a DPO include (non-exhaustive list):

  • insurance brokers
  • financial services,
  • security companies
  • health care providers (doctors, dentists, chiropractors, physiotherapists etc)
  • marketing agencies
  • telephone or internet services providers
  • email retargeting
  • loyalty programmes
  • tracking apps
  • CCTV user
  • schools and academies
  • some charities


What are the tasks of the DPO?

  • Inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
  • Provide advice and guidance on data protection issues
  • Monitor compliance with the GDPR and other data protection laws
  • Draft policies and processes
  • Manage internal data protection activities
  • Advise on data protection impact assessments
  • Train staff
  • Conduct internal audits
  • To be the first point of contact for the ICO
  • To be the first point of contact for individuals whose data is processed (employees, customers etc).

Can we allocate the role of DPO to an existing employee?

  • Yes, as long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.
  • The DPO cannot hold a position within the organisation that leads him or her to determine the purposes and the means of the processing of personal data.  As a rule of thumb, conflicting positions include senior management positions (such as chief executive, chief operating, chief financial, chief medical officer, head of marketing department, head of Human Resources or head of IT departments) but also other roles lower down in the organisational structure if such positions or roles lead to the determination of purposes and means of processing.
  • You can also contract out the role of DPO externally and we can be your Data Protection Officer.  As a minimum, we only require one contracted hour per month for our data protection officer services.


Does the data protection officer need specific qualifications?

  • The DPO must have expert knowledge of data protection law and practices.  Kristy is a data protection specialist and has an expert knowledge of the GDPR.


What to do now?

  • Call us to arrange a free consultation to see how we can help your organisation.