GDPR requires certain companies to appoint a Data Protection Officer (DPO), read in our blog which companies need to appoint a DPO.

The DPO can be a company’s or organisation’s employee but a company can also appoint an external service provider as a DPO. Service provider is highly qualified professional who focuses full time on data protection and helps to ensure high standards of data protection in all companies or organisations.

In Maili Data and Privacy Protection Management (Maili DPPM) the DPOS are fully qualified and highly regarded experts holding data protection (CIPP/E, CIPM) and information security auditor (ISO27001 lead auditor) certificates.

Maili DPPM DPO is a good choice also for an international and multilingual company as the DPO speaks Estonian, English and Russian and is familiar with data protection peculiarities in the Baltic and Nordic countries.

The size of DPO service’s fixed monthly fee depends on company’s data protection complexity and particular requirements of a company, but it is still more reasonable than hiring an employee with similar expert knowledge.

The DPO-s tasks in a company or organisation:

• If needed, maps data processing and puts together a record of processing activities (ROPA).
• Maintains and updates the ROPA.
• Creates and manages data protection and, if required, information security policies and guidelines, for example privacy policy, data management, Data Protection Addendums to contracts with joint-controllers and/or data processors.
• When needed DPO will advise applying adequate technological measures for data protection.
• Conducts Data Protection Impact Assessments (DPIA) as and when needed, recommends appropriate actions to mitigate the risks and monitors the process of risk mitigation.
• Provides data protection trainings to company employees.
• Conducts ad hoc compliance checks to see if applied organisational and technological measures are working.
• Responds to data subjects, company’s employees and clients, queries about personal data processing and ensures that data subjects rights (correction, restriction, deletion and data portability) are met;
• DPO also responds to data protection regulator’s queries and cooperates with the regulator if needed.
• The employees of a company will be sent the name and contact details of the external DPO.
• DPO’s contact email dataprotection@companyname.ee is published in the privacy policy on your website.

Depending on the the external DPO will come to the customer’s offices for the agreed hours, to ensure that the DPO is a part of the team in the company. If the customer is located outside of Estonia, regular meetings with the company, at least one a month, will be conducted over the internet.