Do you need a Data Protection Officer (DSO/DPO)?
A data protection officer’s (DSO/DPO) primary task is to ensure compliance with the data protection regulation. The assignment as a data protection officer can be divided into six main tasks. To inform about changes/news concerning personal data processing. To carry out controls of the business. Advising on GDPR. To cooperate with IMY in matters relating to GDPR. To be the contact person for investigations and to be able to assess risks and prioritize work, for example through a risk and impact analysis.
Secify as Data Protection Officer DSO/DPO
In order to establish a well-functioning compliance work, we work based on a systematic way of working, which we usually shape through a so-called year wheel. The purpose is to be able to demonstrate systematic compliance work through recurring measures and reviews.
We understand that all businesses look different and have different needs. Therefore, we strive to, through clear communication and transparency, design a service plan that partly meets your business-specific requirements linked to data protection and at the same time reflects your level of ambition with your data protection work.
This is what we help with as a data protection officer:
- Cooperation with the supervisory authority
- Support in the event of personal data incidents
- Support when introducing new services that process personal data (incl. in case of major infrastructural changes or when bringing in or outsourcing e.g. operational services)
- Give advice and support when you develop existing information systems that contain personal data, decommission old systems and to assist with setting requirements for new information systems to be introduced in your organization
- Environmental monitoring
- Ongoing reporting and advice to management
- Annual audit (incl. checking of guidelines, various random samples of routines, possible penetration tests)
We at Secify have broad and deep knowledge in all the necessary areas required to be able to deliver a comprehensive service as a data protection representative for your organization. Through us, you get the expertise required both in law, IT and information security.
As your data protection officer, we at Secify also manage:
- Knowledge of the data protection regulation and other applicable data protection legislation
- Monitoring compliance with the Data Protection Regulation and other applicable data protection legislation
- Reporting to management on data protection issues, the organization’s shortcomings and development needs
- Requirements within the business and introduction of security protection measures according to data protection legislation
- Monitoring of internal compliance with the organization’s data protection strategy
- Identification of competence, training within the data protection regulation and adjacent legislation
- Assistance in the investigation of suspected data breaches
- Advice and monitoring in the implementation of impact assessment
- Environmental surveillance around the Personal Data Act, the Data Protection Regulation and the Patient Data Act
- Prior consultation with the supervisory authority
Do you want to know more?
Get in touch and we’ll tell you more about data protection officers.
“As our external Data Protection Officer, Secify has helped us solve complex issues regarding data protection. They have given advice, supported and reviewed our company’s processing of personal data in an exemplary manner. The expert competence that we get from Secify creates the conditions for continued safe data protection work in our organization.”
External Data Protection Officer
A number of organizations are required to appoint a data protection officer. These organizations can be private healthcare providers, trade unions, telecom operators, banks, insurance companies, security companies and companies that operate public transport and process travel data about their passengers, all of which have the following in common:
- to regularly, systematically and extensively monitor individuals.
- to a large extent process sensitive personal data (ie information about health, genetics, sex life, sexual orientation, ethical origin, political opinions, religious or philosophical beliefs or trade union membership) or information about crimes.
For example, you need to appoint a data protection officer if you offer your customers loyalty programs, provide connected devices (e.g. smart cars or devices for home automation) or if your business concerns services for telecommunications networks or telecommunications. You must also have a data protection officer if your main business includes:
- surveillance using cameras
- tracking and profiling on the internet
- data-driven or behavioral marketing
- location tracking (e.g. in mobile apps)
- monitoring of health, exercise and other well-being (e.g. through health apps or activity bracelets)
- profiling and scoring for risk assessments for determining creditworthiness or level of insurance premium.
Often these businesses lack the internal competence or financial resources to meet the requirements. Hiring an external data protection officer to fill this position can often be both more effective for the business’s work with data protection, as well as less costly. We at Secify can act as a consultant and your external data protection representative.
Here are answers to the most common questions about data protection officers. Do you have a question that is not listed? Use the contact form further down the page.
No, not necessarily. A data protection officer can be an employee, but the function can also be filled by an external party, such as a consultant.
No, there are no explicit requirements that the data protection officer must have a law degree. However, the data protection officer must have; good knowledge of data protection, good expertise and the business and sufficient resources for their mission.
Yes in theory, but the Data Protection Officer must be able to work independently and independently, without being influenced by others within the organization. It is therefore important that the data protection officer does not have other tasks that may conflict with the role of data protection officer.
It is possible within groups and also for independent companies. What is required is that the data protection officer must be able to put in the resources required to reach what is prescribed in the GDPR’s articles. this also applies to public organisations
The data protection officer must:
- Advise on impact assessments
- Be the contact person for the countrys authority for Privacy Protection
- Be the contact person for the registered and the staff within the organization
- Cooperate with the authority for Privacy Protection, for example during inspections.
The data protection officer has no personal responsibility for the organization’s compliance with the data protection regulation. That responsibility always rests with the person in charge of personal data or with the personal data assistant. The data controller may also not punish the data protection officer for having performed his duties.
Unlike a DPO, the DOM has a more operational role.
The external representative’s advantages are that the person usually brings skills from several organizations and knowledge of current practices. An external representative is also not bound by any place in the organizational hierarchy and does not risk being limited in practice because of this.
No, it is important that the data protection officer is objective in his task. For example, it is not appropriate for the data protection officer to sit in the organization’s management or to be involved in making strategic decisions about the core business that includes personal data processing.
Yes, a group can act as a data protection officer, but an appointed contact person is always required.
The data protection officer needs register to the authority that handles privacy and GDPR questions in their country.
Can an organization have a data protection officer, even if there is no legal requirement for their business?
Yes, the fact is that the supervisory authority encourages all organizations to appoint a data protection officer. This is to be able to communicate more easily when necessary with the supervisory authority, as well as to organize the work with data protection.
The short answer is yes. Organizations that are obliged by law to have a data protection officer (for example government agencies, or socially important actors), may receive sanctions if they have not employed or alternatively implemented a data protection officer function.
No, not all organizations are required by law to have a data protection officer, but almost all must comply with the GDPR. It can therefore be of great value to a business to have someone who ensures that the ordinance is followed.