We’ve compiled a list of frequently asked questions (FAQs) about our external Data Protection Officer (eDPO) service. These questions cover key aspects of what an eDPO does, why your organisation might need one, the typical outputs you can expect, and how the service is delivered. Whether you’re exploring your data protection obligations or looking for a cost-effective, expert-led solution, these answers will help you better understand how Blackfoot’s eDPO service can support your compliance needs.
1. What is an eDPO?
eDPO stands for external Data Protection Officer. An eDPO provides advice and guidance on specific elements of your organisation’s data protection commitments and acts as the primary contact for regulators and individuals (including employees) who may raise concerns or requests for information in relation to your organisation’s data protection obligations.
An eDPO also monitors your organisation’s position in relation to compliance and data protection obligations and reports on the state of ongoing data protection commitments and risks to the organisation. Our eDPO service can be tailored to your individual use case and requirements and will be a cost-effective solution to ensure that data protection-related obligations are met while minimising operational disruptions.
2. Why do we need an eDPO?
Blackfoot’s eDPO service:
- removes your obligations to provide ongoing training and resources to an internal DPO, such as the requirements for a DPO’s ongoing development and training, etc., which can be time-consuming and expensive
- reduces exposure to employee flight. Companies can incur significant amounts of financial and time investment in establishing and maintaining an internal DPO employee, who may leave the company after training
- provides you with access to scalable data protection expertise as well as additional multi-sector expertise and services provided by Blackfoot more generally
- provides an independent, trusted and ongoing consistent view of your data protection position, communicated to senior leadership/board via quarterly reporting
- removes the possibility of a perceived or actual conflict of interest occurring
- provides a focal point for data protection issues
- allows ongoing understanding of your data protection compliance position, assisted by quarterly reporting to the board.
3. What outputs can we expect?
We will undertake an Initial GDPR Compliance Check and provide a high-level report of our findings. We will then provide follow-up quarterly compliance reports (based on action points from the GDPR Compliance Check report).
We will also:
- advise on how to conduct DPIAs
- review DPIAs
- provide a documentation requirement list
- review your RoPA for gaps
- review your Privacy Notice
- review Data Protection Policy and associated data protection-related documentation
- review your training efforts
- provide guidance on data breach notification requirements, including:
- being a contact point for the regulator
- being a communication point between your organisation and the regulator for ongoing incident requirements
- assist with drafting data subject communications/updates (note: Blackfoot will not manage the response or send communications)
- advising on regulatory requirements for reporting
Note: The eDPO will not manage your response to the breach itself.
- register with your regulator as a point of contact;
- handle data subject enquiries, including:
- Communications around DSARs:
- determine the validity of a DSAR
- advise you of timelines for responding to the DSAR and whether you can argue for an extension
- provide guidance around the information that you must provide to the data subject
- provide guidance on exemptions that you could apply when responding to the DSAR
- Communications around DSARs:
Note: Blackfoot will not undertake the DSAR or manage your response to it.
- recording complaints and forwarding them to the relevant stakeholder; and
- receive and triage communications generally received from data subjects (e.g. employees).
- handle regulator enquiries.
advice and actions provided by your Blackfoot eDPO are subject to agreed maximum levels of time spent per incident/ticket submitted.
4. What documentation would you need access to undertake the eDPO service?
No documentation is required in advance; however, we will undertake an initial GDPR Compliance Check at the start of the provision of the eDPO service, which will likely require a review of your privacy documentation. Documentation required for review will be communicated as the GDPR Compliance check progresses. Following the GDPR Compliance check, we will review specific data protection-related documentation, such as your Data Protection Policy, your Privacy Notices, etc. You could also instruct us to review any documentation if that is required, or to amend, create relevant documentation based on the output of the GDPR Compliance Check.
5. What is the anticipated timeline for commencing the eDPO service?
When we are engaged to provide the eDPO service, we will first undertake an initial GDPR Compliance Check. This will allow us to become familiar with your organisation and understand your specific requirements. This generally takes approximately two working weeks to undertake the initial information gathering and then one further working week to draft and agree on the report. Once the report has been released to you, we will then proceed to business-as-usual eDPO service provision (see the “What outputs can we expect?” section above for further detail).
6. What does the GDPR Compliance Check consist of?
The Initial GDPR Compliance Check consists of:
- Phase 1 – Project Planning & Preparation
Conduct an initial project kick-off call with the project sponsor and key stakeholders to set the scene, agree pre-requisites and the involvement of all parties.
- Phase 2 – Discovery Exercises
Undertake a preliminary review that will focus on establishing a high-level understanding of the organisational structure and the presence and use of policies, processes and technology for the in-scope areas.
- Phase 3 – Data Protection Regulatory Compliance Check
Conduct a high-level company review of the current level of data protection compliance. Check the current data protection documentation.
- Phase 4 – Findings Reporting
Produce an assessment report including the identification of gaps and prioritised recommendations for remedial actions to establish and improve your data protection compliance.
- Phase 5 – Continuing Support
Quarterly reporting and attendance at governance meetings with senior management. Assist you with responses to data protection events.
7. How do you define ‘departments’?
This can be viewed as areas of responsibility, we generally work in terms of 11 distinct departments (Customer Service, Marketing, DPO, Finance, HR, Information Security, IT, Legal, Operations, Sales, Procurement and Vendor Management), it may be the case that the structure of your company does not exactly match these departments, as we will tailor our eDPO service to meet your requirements.
8. Does the eDPO service take account of the GDPR, and advise on compliance with this legislation?
We use the principles of the GDPR and relevant crucial requirements as the foundation for the eDPO service, along with OECD principles. This means that the recommendations set out in the initial GDPR Compliance Check report, if implemented, would provide a robust position to demonstrate compliance against the GDPR.
N.B. It should be noted the GDPR has variations in each EU member state via local legislation that cannot be covered in this report; however, for the elements that may differ in your jurisdiction, we could of course, provide additional guidance or direct you to areas of resources to allow you to make these adjustments.
This FAQ demonstrates that data protection is a multi-faceted area requiring the development and ongoing maintenance of an appropriate framework.
Should you have any further queries, please do not hesitate to contact us.
