A- The Data Protection Officer is a role enshrined in the General Data Protection
Regulation (GDPR) (Section 4, Articles 37, 38 and 39)
The main responsibilities of a DPO are;
To inform and advise the Controller or Processor of their obligations under Data Protection law, regulations and guidance.
To monitor compliance with GDPR and any other data protection provisions
including; policies, procedures and training. This is conducted through
assurance and audit activity.
To support Data Privacy by design efforts at the initial design phase by
providing advice surrounding Data Protection Impact Assessments.
To communicate with the Supervisory Authority (The Information
Commissioner’s Office - ICO in the UK) on matters related to different enquiries or compliance matters.
A- As a DPO, we act with an impartial and confidential manner. We will review your
complaint and assess the nature of it. If it is in scope with the law and lies within our
duties, we may decide to investigate further. It is important to note that
this may take some time as we collect all the facts of your case before responding to
both you and the Data Controller.
A- In order to fully respond to your complaint, we will need time to assess, review,
seek further information from the data controller, and assess compliance to the law,
regulations and policies. We may need to seek advice from the ICO, time frames will
be case dependent.
We are unable to give a timescale for the conclusion of our enquiries, but we will
keep communications frequent to ensure you are informed throughout the process.
A- We must work with the Data Controller and the Data Subject to resolve Data
Protection concerns. We are employed by the Data Controller who will receive a
confidential report a summary of which you will also receive. Our duty of
confidentiality extends to this work; however, we will be as open and transparent as
we can when responding. There will be some cases whereby we need to share your personal information, however, we will only do this if absolutely necessary, and you will be notified prior to it happening.
A- Under the law, we have a requirement to keep all matters confidential. Within DPAS
the qualified DPO’s will be the only individual’s investigating your complaint.
We will be required to share your details with the Data Controller in some cases to
reach a determination of the facts. We will only do so when it is deemed necessary.
We are required to retain your information for some time to demonstrate compliance
with the law. The details of this can be found in our privacy notice which can be
found on our website.
A- We are hired under a service contract; therefore, we are not employees, which allows
us to be truly independent of the Data Controller as defined within the law.
A- Our Data Protection Officers are in some cases legally trained and in all cases, those
dealing with your cases will have had advanced training on our Certified Data
Protection Officer training program. The DPO assigned to your case will have
knowledge of your data controller’s operations.
Our Data Protection Officers are supported by our Chief Data Protection Officer,
Nigel Gooding who is legally and professionally qualified.
A- No, the Data Controller is not legally bound to follow our advice but where they
decide not to follow, they have to be clear and provide written evidence regarding
A- As we work on behalf of the Data Controller all requests for further information should be sent to them direct.
If you are then not fully satisfied with the response you are within your rights to raise the matter with the Supervisory Authority (ICO).