Watchman IT Security – DPO Service for North Wales

DPO as a ServiceDPO as a Service

Why use DPO as a Service? Under the new General Data Protection Regulation, organisations that find themselves in the following three categories must appoint a Data Protection Officer (DPO):

  1. Public authorities, including local councils
  2. Businesses systematically monitoring large numbers of people (this can include things like payroll, IT support, email marketing and location-tracking)
  3. Businesses processing sensitive personal data (related to ethic origin, political opinions, mental and physical health, and so on).

So, if your organisation is in one of these groups, you may be finding it tricky to appoint the perfect person.Why?

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Part 3, Chapter 4 of the Bill:

  • to inform and advise the controller, its employees, and any associated processors about their obligations to comply with the GDPR and other relevant data protection laws such as Part 3 of the Bill;
  • to monitor compliance with data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits; and
  • to be the first point of contact for the Information Commissioner and for individuals whose data is processed (employees, customers etc).

What does the Part 3 of the Bill say about employer duties?

You must ensure that:

  • the DPO reports to the highest relevant management level of your organisation – ie board level;
  • the DPO operates independently, and is not dismissed or penalised for performing their task, however a DPO can still be dismissed or penalised for misconduct or negligence relating to their task; and
  • you provide adequate resources to enable DPOs to meet their obligations under GDPR or Part 3 of the Bill.

Can we allocate the role of DPO to an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

You can also contract out the role of DPO externally.

Does the DPO need specific qualifications?

The GDPR or Part 3 of the Bill does not specify the precise credentials a data protection officer is expected to have.

It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing you carry out, taking into consideration the level of protection the personal data requires.

Suitable Experience vs Conflict of Interest

The GDPR regulations make it clear that there must not be any conflict of interest for the individual selected s a Data protection Office for an organisation. So, someone from marketing can not be a DPO as there would be a potential conflict with the data that marketing process. Likewise, an administrator who enters data concerning clients or who allocated clients to a sales person or support worker would not be suitable because of the data they enter and process.

This situation makes it challenging for organisations to allocate the role of DPO to a member of staff. Furthermore, you cannot have two or more individuals performing the role.

Surprisingly, (perhaps not to us), a recent government-sponsored survey suggested than half of UK organisations are not even aware of the May 25th GDPR deadline, and our own experience suggests that very few of those that are aware of GDPR have taken action to deliver the required processes and procedures. This is leading to a shortage of companies available to assist with GDPR implementation and a high demand for suitable DPO’s.

What we can do to help

As the regulation explains, you can outsource the Data Protection Officer Role and thanks to our experience, we can provide this service for the vast majority of businesses within the United Kingdom, and we would welcome the chance to offer this service to you and your organisation.


DPO as a service (GDPR)


< 20


21 – 250


> 250

GDPR gap analysis and report (Requirement)
Provide advice and guidance to the organisation on GDPR compliance Up to 96 hours’ consultation per year Up to 192 hours’ consultation per year Up to 288 hours’ consultation per year
What’s included in the consultation hours?
Review and advise on privacy policies, procedures and documentation relating to the processing of personal data – Art. 39(1)(a)
Oversee the establishment and maintenance of the personal data processing register (the Article 30 Record) – Art. 39(1)(a)
Advise on the necessity of a data protection impact assessment (DPIA), the manner of its implementation and outcomes – Art. 39(1)(c)
The DPIA can be undertaken by IT Governance as a separate service
Provide guidance on data breach monitoring, management and reporting – Art. 39(1)(a)
Serve as the contact point for data protection authorities for all data protection issues – Art. 39(1)(d) and (e)
Provide advice and guidance on responses to privacy rights requests from individuals (information, access, rectification, objection, erasure, right to data portability) – Art. 38(4).
The process management of privacy rights requests is not within the scope of the DPO service
Facilitate GDPR awareness training and the training of staff involved in data processing operations
Monitor compliance with the GDPR – Art. 39(1)(b)
Assist clients with information collection to identify personal data processing activities; verify GDPR compliance of the processing activities; provide advice and guidance on compliance best practice
Quarterly report for senior management to ensure corporate governance of the Regulation
Pay in advance – Annual Price (12 MONTHS FOR THE PRICE OF 11)
£1650 + VAT £3190 + VAT Price on application
Spread the cost – Monthly Fee £150 + VAT per month £290 + VAT per month Price on application


Would you like a no obligation call or meeting?

Great….. Just complete the form below:

Contact Us
Our privacy policy along with information about how we process your data is available HERE