Does my organisation need a Data Protection Officer ?


First of all: what does GDPRP regulation say?

Controller and processor shall designate a DPO in any case where:

  • the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or 

  • the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10. ·     

A group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment.

The data protection officer may be a staff member of the controller or processor or fulfil the tasks on the basis of a service contract.

So, in plain, human language:

  • if you process sensitive personal data or if you process large amounts of personal data on a regular basis, you need to assign a DPO

  • However, this DPO does not necessarily need to be a staff member and he does not need to be fulltime in your company.

On the other hand, every company, small or big, that is processing personal data, is subject to the GDPR regulation.

So even if, on a purely legal basis, you do not need to assign a DPO in your company, it might be a good idea to at least have someone with the proper knowledge who guides you through all the obligations you have in regard to data privacy.

That’s why Serve-iT is your preferred partner to provide you with a “DPO as a Service”

  • Serve-iT assists you with all your data privacy and data protection questions

  • Your staff gets trained and we setup your awareness campaign in regard with data privacy

  • We assess your current maturity towards GDPR and e-Privacy regulations

  • Based on that assessment, Serve-iT will guide you in your implementation projects

  • We assure the necessary follow-up (strategy, legal context, framework, procedures, information management, tooling)

  • We organize, steer and follow-up your Data Privacy Impact Assessments (DPIAs)

  • We organize and monitor internal audits

  • When necessary, we maintain all necessary contacts with the Data Protection Authorities (DPAs) as well as with the Individuals that request to execute their rights (Rights of the Data Subjects)

Off course, you want to get rid of all those obligations? You prefer to spend your valuable time on your core-business !