DPO Service

What is a DPO?

One of the most relevant changes in General Data Protection Regulation (GDPR) is the obligation for some organisations to appoint a Data Protection Officer (DPO), a role tasked with facilitating compliance with the GDPR provisions.

The core tasks of the DPO under the new data protection regime are:

to inform and advise the organisation’s management about their obligations under the GDPR;
to monitor the organisation’s compliance with EU and national data protection laws;
to provide guidance and advice on Data Protection Impact Assessments (DPIA);
to function as the main organisation’s contact point for people and institutions, including Data Protection Authorities.

Do you need a DPO?

The DPO may be a staff member of the organisation or fulfil his or her tasks on the basis of a service contract.

The GDPR provides that a DPO must be appointed by:

Public authorities. This includes public sector or hybrid bodies, such as museums, publicly funded transport companies and foundations, etc.
Organisations that carry out large scale systematic monitoring of individuals. This includes companies engaging in online behaviour tracking, profiling, etc.
Organisations that carry out large scale processing of special categories of data or data relating to criminal convictions and offences. This includes private clinics, most political analysis companies, etc

WHY US?

Even if no obligation exists for you under the GDPR to appoint a DPO, you may find it useful to designate a DPO on a voluntary basis. This is advisable especially in border-line cases, in which it is not entirely clear if your business fulfils the requirements for a compulsory appointment. In fact, voluntary appointments are not only encouraged by the EU but they contribute to strengthening the organisation’s compliance and accountability position in case of data-protection-related issues.

Trilateral’s GDPR-certified employees possess the necessary skills to fulfil this DPO role for your organisation.

Our DPO Service

This service is ideal for organisations that wish to appoint a DPO on a voluntary basis, to improve accountability and transparency and to inspire confidence from consumers and other stakeholders.

Are you operating an organisation with a limited data processing practice that is nonetheless required to appoint a DPO? Our experts will carry out all essential DPO tasks and ensure that you remain compliant with the relevant GDPR provisions while minimising your financial commitment.

This service is suited to organisations that want to be certain that no specific data protection innovation goes unnoticed.

Are you part of an organisation that needs a tailored service?

In addition to the “Basic” level services, our experts will keep you updated on critical legislative, judicial, or policy developments that may impact your business area, allowing you to save time and effort.

This service is ideal for organisations with medium-to-high-profile data processing practices that prefer to have professionals to look after their GDPR compliance work in a highly proactive manner.

Does your organisation want to grow internal awareness about GDPR regulation and data protection processes?

In addition to the “Advanced” level services, our experts will also conduct interactive webinars and Q&A sessions with your senior management and officers, and train your employees on the innovations in the data protection landscape.

Show Trilateral DPO Service

		DPO Service Levels
Activity	Basic	Advanced	Elite	Notes/Details	Article Reference
Serve as your DPO				Company name and contact details transmitted to the ICO Company name and contact details available to management employees data subjects	37
Contact point for data subjects				Contact data accessible on the websites and privacy notices Function as the main public contact point (email & post) Guide your organisation on the possible sources of data requests	38(4)
Contact point for Data Protection Authorities (e.g. ICO)				Liaise with the ICO in the case of issues with the data subjects and data breaches	36 39(1)(d) 39(1)(e)
Regular newsletter to inform and advise on relevant developments and possible challenges in data protection	Monthly	Monthly	Monthly	Newsletter containing the latest regulatory news and compliance guidance, and news concerning conferences and training opportunities	39(1)(a)
Annual gap analysis	Virtual	Virtual	On-Site	Audit and gap analysis to map new activities and data-processing practices	39(1)(b)
Status discussion (via phone/Skype) and report	Annually	Every 6 Months	Every 3 Months	Discussion and report	39(1)(b)
Review of the privacy notices				Review of the privacy notices to ensure accuracy and advice on how to improve.	39(1)(b)
Provide advice to the client organisation on how to carry on data protection impact assessments (DPIA) and to monitor their performance				We provide advice on: Whether to carry out a DPIA The best methodology to follow Whether to carry out the DPIA in-house or to outsource it depending on the complexity What safeguards (including technical and organisational measures) to apply to mitigate any risks to the rights and interests of the data subjects Whether the DPIA has been correctly carried out and whether its conclusions are in compliance with the GDPR	39(1)(c)
Oversee the establishment and maintenance of the Record of Processing Activities				Contact point for the designated employee Guidance on the Record, including provision of check-lists, best practices, and methodological advice	30
Provide guidance on data breach handling and reporting				Contact point for the responsible person Contact point for the ICO Advice on best practices for handling data breaches, including notification requirements, reporting and identification of measures to limit damage	33(3)(b)
Monitor the data-protection-training activities and advise on their necessity				Inclusion of a chapter on training in the status reports Provision of news and updates on relevant conferences and training courses (newsletter) Provision of free-of-charge training materials, where appropriate	39(1)(b)
Yearly one-day seminar on the developments of data protection law and policy	online	online-live	on-site
Email assistance
Telephone assistance		(up to 4 hours per month)	(up to 8 hours per month)
Bespoke notifications to the top management on critical legislative, judicial, or policy developments that may impact your business				Email notification with explanation of the development and a preliminary overview of the impact on the organisation	39(1)(a)
Review of the consistency of the internal documents concerning data processing practices				Cross-check of the consistency of the internal documents	39(1)(b)
Weekend and holidays data breach guidance				Data breach guidance during the weekends and holidays, as opposed to standard working-day assistance
Drafting and maintaining the Record of Processing Activities
Bespoke training sessions for employees
On-site meetings and/or assistance	(£150/h)	(£75/h)	(£75/h)
Conducting Data Protection Impact Assessments on your behalf*	(£750 per day)	(£750 per day)	(£750 per day)

Monthly cost *Other travel costs, overnight stays, services of third parties, etc. will be charged according to their actual expense. Offer is subject to contract. All prices are VAT-excluded.		Please contact us for an estimate of the price.