Outsourced DPO for your company
OUTSOURCED DPO FOR YOUR COMPANY
What does it consist of?
The European Data Protection Regulation (EDPR) came into force on May 25, 2018 and its application is uniform for all member states of the European Union.
It is directly applicable and prevails over national legislation in the event of contradiction, in particular Law 78-17 of January 6, 1978 as amended.
It confirms the principles resulting from the Directive n°95/46 of October 24, 1995:
- Lawfulness, loyalty and transparency of any processing
- Determination of the purpose of the processing, which must be legitimate, adequate and relevant
- Limitation of the retention period
- Data security
In essence, its main principles are as follows:
- It is based on an articulation of legal and technological means, with a view to risk prevention: the logic of accountability versus the logic of prior formalities,
- A “Privacy by design” approach is adopted, which means that respect for privacy is now at the heart of any technical development, since personal data must be secure and remain confidential.
GDPR and yourself
Who is concerned?
- Any company that collects data allowing a person to be identified (email, image, date of birth, IP address, surname, first name, etc.), including in its professional activity, must be able to demonstrate compliance with these regulations,
- If the company has more than 250 employees, it is obliged to appoint a Data Privacy Officer,
- Smaller companies are not required to do so unless they
– process sensitive data
– process an important volume of data
If you do not fall into one of the above cases, we still recommend that you designate a DPO once compliance is achieved.
The DPO will be responsible, independently of his or her hierarchy, for ensuring that the processes and the register of personal data processing implemented within the company are effective and up-to-date, for informing the company and its teams by raising awareness of these issues, and for informing the persons concerned of their rights.
The DPO also advises the company on carrying out impact studies and is the point of contact with the CNIL.
Finally, throughout the year, he ensures compliance with the procedures in place, particularly in the event of a breach of data security or a request for exercise of rights by a person.
Why we recommend to have a DPO?
What is the typical DPO profile?
The DPO must wear two hats: he must have received appropriate legal training and understand the mechanisms of his company’s information systems.
In addition, he or she must be assured that he or she can carry out his or her duties with complete independence.
Depending on the number of processing for which the company is responsible, or a subcontractor, his tasks may therefore occupy him 1 day per week, 1 day per month or 1 day per quarter.
This is the reason why we propose to outsource these functions and entrust us with the responsibility.
Our assistance consists in this framework:
- To carry out once a year interviews with the key people of the company,
- To write an annual report to record events that occurred during the year,
- To update the register of processing (and consequently to analyze the new processing created during the past year),
- To update deficient process documents,
- To update the IT charter,
- To raise awareness among the employees concerned (1 session per year),
- To define if impact studies are necessary in order to organize them (via an external service provider),
- To ensure the interface with the CNIL in case of particular questions or control,
- And more generally to take any action that will allow the company to achieve optimal compliance.
What is our assistance?
Costs related to outsourced DPO support
Depending on the size of your company, and according to the number of treatments identified, we will offer you an adapted fixed-price intervention.
Example of packages:
- 12 days of intervention (i.e. 1 day per month): 13,200 euros excluding VAT (payable monthly)
- 4 days of intervention (i.e. 1 day per quarter): 5,600 euros excluding VAT
- Minimum package: 2.5 days per year, i.e. 3,600 euros excluding VAT (training in addition).
An audit prior to our intervention may be necessary in order to ensure that the compliance has been carried out in a professional manner.