Data Protection Officer (DPO)
Responsible for the protection of personal data (DPO)
Creation of a specific DPO work cycle
Training for employees and board members
Support and participation in defining the Clients’ projects in accordance with Privacy by Design and Privacy by Default
Surveillance and auditing on the correct implementation of GDPR and Privacy Code
Surveillance and support in the drafting of DPIAs if needed
Cooperation and contact with the Data Protection Authority
The Data Protection Officer (DPO) is a role recently introduced.
In some States of the European Union it was already in place and known as Privacy Officer (CPO) or Privacy Specialist. Trying to describe it in few words, it is an expert on privacy that must have a role in the organization (being external or internal) independent from the organization chart relationships with transversal skills, mainly legal, IT, of analysis of risks and processes.
In some professional certification mechanisms (e.g. UNI 11697:2017) the DPO is tasked with psychological as well as training skills. His main task is to support the Controller or the Processor in the application of the data protection law.
More in specific, the GDPR identify the following tasks in relation to the DPO:
a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
d) to cooperate with the supervisory authority;
e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
In reality, to be a DPO for any type of organization, private or public, requires more than what already said.
It is necessary to assist the Controller or the Processor in its business choices affecting privacy, in order to guide him to protect in an effective and efficient way the personal data of data subjects and- as a consequence- to enhance the protection of the organization itself.
Our Firm guided dozens of organizations in the process of compliance in relation to data protection as consultants but also as DPOs, and we continue to do so even today after 25 years, showing the organization how to develop in autonomy procedures coherent with the rules of GDPR and functional to their type of business.
The role of DPO, for us, is nothing more than the crystallization of this trust in one name.
Support to DPOs
It often happens that the the DPO of an organization, in performing the tasks assigned by GDPR to this role, is in a situation in which he’s fighting against an invisible enemy, to which none though of at the beginning of the assignment: time.
The operative necessities becomes urgent, and often the DPO is not put into the condition of perform adequately its activity for absence of time to be trained, follow all the privacy issues and the audit/surveillance activities requested by GDPR in the framework of the requirements to which the organization is subject to.
Studio Legale Privacy, also to reply to what is prescribed by GDPR in relation to resources and appropriate time to be granted to the DPO, chose to develop a support program designed to solve criticalities of this type, and developed on the basis of the requests of the Clients during the years.
Our experts are able to support actively the internal DPO in the management of daily issues linked to personal data protection in the context of the organization through a given number of “token” available to the Client, with SLAs well defined and granted, to be performed both in house and by remote.
In this way the internal DPO gain an update on-site training and the renewed ability to grant effectively the performing of the tasks that must be performed.