Data Protection Officer (DPO) Service

Why instruct CSRB as your outsourced Data Protection Officer (DPO)?

CSRB is focused on reducing risk. Every organisation is unique, with a completely bespoke set of personal data requirements and risks. All DPOs at CSRB undertake regular CPD training in data privacy and information governance.

A lot of other providers do not insist on their DPOs being certified; we do.

Engaging CSRB as your DPO guarantees you a professional who is well researched and qualified with regards to data privacy.

Keeping things clear and concise is central to how we explain personal data protection. The complex language and acronyms surrounding data protection can confuse people and put them off dealing with the issues. Having a designated DPO from CSRB removes this worry and offers peace of mind.

With our DPO service starting from just £550 plus VAT per month, we believe we offer fantastic value, not just against the annual salary of appointing an internal DPO, but also with regards to time being saved through outsourcing the role, leaving internal stakeholders to excel at what they are great at!

That’s why CSRB are known as personal data specialists!

What is a Data Protection Officer (DPO)?

DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, mitigate risk, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects (prospects, clients) and the UK regulator the Information Commissioner’s Office (ICO).

The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level. Many organisations prefer to outsource the DPO role to demonstrate compliance to UK GDPR, other UK data privacy legislation, the data processing principles, and to demonstrate accountability to the ICO and other key stakeholders.

Can an internal staff member be a Data Protection Officer (DPO)?

The Data Protection Officer (DPO) has a legal definition in the UK GDPR and therefore has certain responsibilities within the role that must be met. Many organisations fall into the trap of appointing a current employee as the DPO, who already has many other responsibilities, but has no expert knowledge of data protection. This person must not be called a DPO.

Being a DPO is not just a name, but a role with legal responsibilities and requirements attached to it; it is a professional role.
Appointing an internal staff member as a DPO carries a large amount of risk to the organisation, if that person is not adequately resourced in data protection legislation and responsibilities.

Under UK GDPR both data controllers (e.g., directors) and data processors (e.g., employees) are jointly responsible under the accountability principle for the secure processing of personal data, with both facing enforcement action from the ICO for any breaches. This could lead to reputational damage for the organisation (data controller) and cause the employee (data processor) a large degree of anxiety about completing two job roles effectively, and ultimately their long-term future.

The DPO role is a professional role and carries a full-time list of job responsibilities and falls in the salary range of £35,000-£65,000 within the UK. Thus, you can see, that this cannot possibly be carried out as a dual role with the Marketing Manager or IT Manager roles for example.

Why outsource the Data Protection Officer (DPO) role?

Although Article 35 of the UK GDPR does not specify the professional qualities required from the DPO role, it is noted that DPOs should have in-depth knowledge of UK data protection legislation, including a deep understanding of the UK GDPR.

In addition, the appointed DPO needs to have wider knowledge of European and worldwide data protection governance, whilst having industry specific knowledge to comply with the requirements of professional associations and bodies (e.g., Financial Conduct Authority).

A core principle built into the DPO role is that there should be no conflict of interest arising from additional tasks or duties within the organisation. By outsourcing the role to certified experts in data protection, such as CSRB, you ensure your DPO is fully independent.

The DPO should not receive any instructions with regards to exercising their tasks, nor should they be subject to any internal lobbying that may either jeopardise their independence or their abilities to discharge their job responsibilities, in a UK GDPR compliant manner.

DPOs can start to build a Privacy Management Framework (PMF) within the organisation which will help with organisational development and growth. The main objectives for the DPO here are to ensure personal data is kept secure, protect the rights and freedoms of data subjects, comply with the relevant legislation and regulations, and look to differentiate the organisation from its competitors by working towards certification in information and privacy governance.

There are many more benefits to outsourcing the DPO role. Contact us to find out more.

What is provided within the outsourced Data Protection Officer (DPO) service?

DPOs undertake a wide array of tasks within their job role. The key tasks performed by the outsourced DPO service at CSRB are as follows: