DPO-as-a-Service Options Pop Up as GDPR Deadline Looms

Written by

The 25 May deadline for compliance with the EU General Data Protection Regulation (GDPR) is looming large, and many businesses aren’t yet prepared, including for the requirement of implementing a data protection officer (DPO). However, as-a-service options could be a new cottage industry springing up to fill the need.

To that end, ThinkMarble has launched its Virtual Data Protection Officer (VDPO) service, allowing UK businesses to tap an outsourced team of cybersecurity and risk mitigation lawyers that can act as their DPO under the GDPR. The lawyers will work alongside ThinkMarble’s multi-disciplinary team of security analysts, incident responders and penetration testers to provide a bespoke service to each business to help with compliance with UK and EU data protection laws. 

For public bodies and many private businesses, appointing a DPO is a mandatory requirement under the GDPR regardless of the size of the organization or the resources it has. DPO-as-a-service models can thus benefit smaller businesses that may balk at the need to recruit expensive, full-time, in-house compliance staff.

“The gravity of non-compliance with GDPR is far too severe for the average mid-sized company to survive the resulting penalties," Duncan McAlynn, president at Operandis, told Infosecurity. "By utilising virtual DPO services, coupled with back-end legal and security expertise, organisations seeking to protect themselves and their data will greatly benefit from this outsourced arrangement.”

ThinkMarble’s VDPO service will offer companies access to a team of data protection legal and risk specialists who will act as trusted advisers, liaise with the Information Commissioner's Office (ICO) and make sure they comply with legal and contractual data security obligations. They will also act as the main contact point for data subjects, such as employees and customers, and help raise awareness and train staff on the importance of data protection. Another important function is to provide regular, comprehensive reports that advise on appropriate data security measures and risk mitigation at board and management level.

“The role of the DPO is at the heart of this new legal framework and will be an integral cog in any company’s ability to prove that they are not only compliant with the new regulation but also...demonstrating the highest level of accountability should a breach occur,” said Robert Wassall, data protection lawyer and head of legal services at ThinkMarble. “A DPO should be appointed based on their knowledge and expertise in the field of data protection. They must be independent, credible and show integrity – this is difficult for a current employee, whether they are the head of IT or at director level, as this will represent a conflict of interest. Equally, you cannot expect to send an employee on one of the many advertised EU GDPR short courses and expect them to come away as an expert in data protection and law.”

What’s hot on Infosecurity Magazine?