External Data Protection Officer
Who needs a data protection officer?
Simply put: The EU GDPR requires an internal or external data protection officer to be appointed by every company in Germany with more than nine employees. In some cases, companies might be required to hire a data protection officer at an earlier point – and regardless of the number of employees – for example, if the company processes data that is more sensitive such as health data.
Why do I need a data protection officer?
The data protection officer helps you comply with the legal requirements in data protection. Under the EU GDPR, companies are required to prove their data protection compliance not just sporadically, but structurally. The external data protection officer provides advice on data protection issues and lets you know whether your practices comply with applicable data protection laws. The data protection officer also provides tips and recommendations on how you can implement current data protection requirements in your company’s operations.
Under the EU GDPR, what is particularly important for companies?
The EU GDPR states that companies should above all address the following issues:
- Documenting the procedures that process personal data (the so-called “directory of processing activities”)
- Contractual relationships with third-party service providers (keyword: “outsourced processing agreement”)
- Compliance with the minimum standards in IT security
- Educating and training employees
What are the data protection officer’s responsibilities?
As a rule, the data protection officer is consulted whenever IT systems are introduced that are critical to data protection, or if data is lost in an attack. Another one of the data protection officer’s responsibilities is to train the employees who do the data processing. Companies receive additional support as well: The data protection officer is the contact person for questions related to data protection and gives the company the tools it needs so it can structure and integrate the data protection issues into in-house procedures.
When does it make sense to hire a data protection officer?
A data protection officer should be appointed if the company is required to do so by law (usually, if the company employs more than nine people who have access to personal data). Irrespective of the legal obligation, companies also often appoint data protection officers for other reasons, when they realize they are in need of professional advice in the area of data protection requirements. This is the case, for example, for companies that process sensitive healthcare data or for companies that process data on behalf of their customers.
Internal or external data protection officer?
Each option has its advantages and disadvantages which should be individually tailored to your business. Pursuant to the law, both internal and external data protection officers are mandated to take care of a company’s data protection needs while operating as independent and neutral agents. Data protection requirements have become increasingly complex in recent years. Small and medium-sized companies therefore often rely on external data protection officers who specialize in this area.
Who can become a data protection officer and how long does it take to become a data protection officer take?
In theory, the training to become a data protection officer usually takes a week, depending on the provider. However, in our experience, the ability to practically apply what was learned requires several years of experience in the field. As for us, we serve on the board of directors of the world’s largest professional association of data protection specialists in Germany. The International Association of Privacy Professionals (IAPP) offers an ISO-accredited data protection training course.
A form to appoint a data protection officer
If you would like to appoint us as your data protection officer, we will send you a form, which you can use as documentation for the data protection supervisory authority, to prove that you have appointed us.
How much would it cost to hire an external data protection officer for my company?
With our Privacy Kit, we offer small companies with up to 20 employees a solution that includes the appointment of a data protection officer. It costs €32.50 per month plus VAT and is billed annually. The Privacy Kit includes web-based data protection management software, which you can use to cost-effectively address data protection issues. Moreover, we are also available to answer any questions you might have.
Additional information about the Privacy Kit can be found here.
As for medium-sized companies equipped with an internal or external data protection officer, we are offering them support with our Compliance Kit, which provides data protection management software based on ISO standards.
Additional information about the Compliance Kit can be found here.
If you would like to receive a detailed offer, you can also request a non-binding cost estimate. Just fill out the form to quickly and easily determine the cost of an external data protection officer for your company.