If you are required to employ an internal or external DPO (Data protection officer), here are some questions I would advise asking?
First you need to understand, the DPO position that companies outsource must be properly interviewed by both outsourcer and employer. The outsourcing company needs to understand the complete responsibilities of the DPO and that they can support the DPO with any extra support required, based on the service agreement by both parties.
It is vital that the outsourced DPO’s have the professional skills and capabilities for the role and job ahead (ensure you have the right person for the job). I personally recommend a DPO who has completed both Foundation and Practitioner level certificates, and has a number of years working in IT as a CIO, IT manager, data management or something relative to the previous compliance framework. GDPR is a new compliance framework, and it would be very hard for someone to be an expert in something that isn’t even in place yet, so be careful of the frauds offering an expert service.
“you” refers to the DPO candidate and not the DPO outsourcing company:
- How many years have you been involved with the laws of privacy, data protection, and information security?
- How many years have you been involved with each of: IS auditing, IT infrastructure, data management, risk management, and software programing?
- What relevant professional licenses and certifications do you possess?
- What professional associations related to data protection are you a member of?
- What risk assessment methodology would you utilize as a DPO and why?
- What types of DPIAs, privacy seals, and information security standards certifications have you been involved in?
- What types of organizations and projects have you led?
- Which countries have you practiced professionally in?
- Will you be resident in an EU member state for the duration of the contract?
- How do you stay informed on emerging trends in technology and law?
- How will you maintain your independence while working closely with us?
- Do you or your firm have any existing or potential conflicts of interest in taking on this DPO role?
- To what extent will you need to rely on your firm’s knowledge, experience, and capabilities to supplement your own?
- Are you able to provide legal advice on data protection? What is the scope of that advice, and where will you refer matters beyond that scope?
- What experience and ethical obligations do you have to maintain confidentiality?
- What subject areas have you taught professionally and raised awareness on?
- What relationship do you have with the local data supervisory authority?
- How familiar are you with our industry, technologies, and processes?
- How do you address your potential exposure to legal liability for this role?
- In what manner, and how often, will you keep the board informed of your activities?
- (For non-EU controllers) What experience do you have with our laws and culture?
- What type of resources will you need to assist you in your DPO role?
- If you provide this service on a periodic basis (e.g. certain hours per month), how will you be available if the need arises (e.g. data breach, new systems, new processing)?
- What are the first three things you would do in your role as our DPO?
If you are still looking at what GDPR services on the market are most cost-effective, or unsure if you need a DPO?
Please send us a message and a member of our team will be in contact shortly.