All photography provided by Jared Chambers
DON'T THINK OF YOUR DPO AS JUST ANOTHER "ADMIN" POSITION, REMEBER THAT THE COURSE OF YOUR INITIAL EXPERIENCE WITH AN EU SUPERVISORY AUTHORITY WILL LIKELY BE DETERMINED BY THE FIRST IMPRESSION CREATED BY YOUR DPO.
WHETHER OR NOT YOUR ORGANIZATION IS REQUIRED TO COMPLY WITH ARTICLE 37 OF THE GDPR, APPOINTING A QUALIFIED* DPO WHO CAN DEVELOP AND ARTICULATE YOUR PLAN TO CLOSE GDPR COMPLIANCE QUICKLY MAY ULTIMATELY DETERMINE YOUR EXPOSURE TO A CRIPPLING GDPR FINE. :
APPOINTING AN ARTICLE 37 DPO IS NOT A "CHECK BOX" EXERCISE!
- Your selection of a qualified DPO (Data Protection Officer) meeting the requirements of Article 37 is a process that must be documented for review by regulators in any of the EU jurisdictions where your company handles personal data and meet the standards of the most stringent EU jurisdiction in which you process personal data.
- An experienced DPO who can guide organizational Data Mapping, Data Inventory and Privacy Impact Assessment (PIA) exercises can quickly produce valuable intelligence on how best to target your limited GDPR compliance resources and important Article 30 records.
- Appointing a DPO whose experience aligns with the complexity of the organization is required under the GDPR and voluntarily engaging a DPO to immediately undertake these key GDPR compliance steps also helps demonstrate an active compliance posture to EU regulators.
- An appointed DPO, where required under the Article 37, will exercise significant oversight and influence on strategic business operations. With high regulatory fines for failure to appoint a qualified person and restrictions to prohibit arbitrary removal of a DPO once appointed, this resource must be carefully chosen, not the least because you will identify this individual to your supervisory regulator as your primary point of regulatory contact.
*Appointing an unqualified DPO (not meeting the expertise requirements of the statute) may trigger the same administrative fine level as the failure to appoint a DPO if your company is subject to the requirment.
The following specific compliance project offerings can help you assess your company's overall risk and compliance gap before establishing a DPO relationship under the GDPR.
basic GDPR Risk Assessment
In-House Privacy Risk Assessment:
$10,000 consulting fee for up to 40 hours of dedicated consulting time to identify significant risk areas and jurisdictions specific to your company and business activities. After mapping your data flows, our consultant will produce a detailed compliance risk "heat map" and related short term recommendations. (basic fee applicable only to entities with 10 relevant compliance jurisdictions or less)
GDPR compliance program design
Whether implementing a compliance solution for your cross-border transfer of HR-related PII, or preparing a strategic compliance plan to address Privacy Shield concerns or the upcoming enforcement of the EU GDPR, our standard consulting rate of $300 per hour allows you to complete your compliance project in a cost effective way, controlling and targeting your use of foreign legal counsel resources.
(Minimum Engagement 10 Hours)