BH Consulting launches DPO-as-a-Service offering

For many organisations, the General Data Protection Regulation (GDPR) now mandates the appointment of an independent Data Protection Officer (DPO). In response to this, BH Consulting has launched a new DPO-as-a-Service offering in order to assist clients in meeting their data protection compliance requirements.

Brian Honan, founder and CEO of BH Consulting, commented: “We developed our ‘DPO-as-a-Service’ offering in response to increased demand in the market, as more clients understand their obligations to protect personal information and as awareness of GDPR grows. The DPO role needs to be independent and autonomous, and as an external consulting firm we can provide that assurance.”

The DPO role, as mandated by the GDPR, covers a broad range of responsibilities, and includes advising the organisation of its data protection obligations, monitoring the organisation’s compliance with data protection law, consulting on the need for Privacy Impact Assessments where relevant, and acting as the organisation’s point of contact with the Data Protection Authority. BH Consulting has partnered with various organisations in order to provide a comprehensive and flexible service which ranges from providing on-demand expert advice, to delivering a fully outsourced model, and includes:

  • Advice about data protection policies and safeguards
  • GDPR readiness assessments
  • Advice about applying Privacy-by-Design principles to any new applications or systems
  • Privacy Impact Assessments for new systems and applications
  • Data breach management, monitoring, controls and reporting
  • Data protection compliance healthchecks
  • Data protection skills training and awareness
  • Risk management.

Under Article 37 of the GDPR, many organisations are obliged to appoint a DPO. The appointment of a DPO is mandatory for all public authorities, and for organisations whose data controller or data processor carries out core activities such as “regular and systematic monitoring of data subjects on a large scale”. An entity that processes “special categories of personal data” on a large scale must also appoint a DPO.

Article 37 also requires the DPO to have “expert knowledge of data protection law and practices”. Many organisations required under the GDPR to appoint a DPO are unable to assign the role to an internal member of staff, due to resource constraints and/or lack of knowledge and technical skills. Finding and recruiting a full-time data protection expert is also beyond the budgets of many organisations. Addressing these challenges, the GDPR makes provisions to fill this post on an outsourced basis.

 

Leave a Reply

Your email address will not be published. Required fields are marked *