Data Protection Officer
Did you know under section 23 of NZ Privacy Act 1993, it is compulsory to designate a Data Privacy Officer?
Data Protection Officer
per month / up to 25 employees
From $750 +gstEnquire
- Designation of the data protection officer
- Annual online audit of the controller or processor
- Online training of the employees
- Fulfillment of the legal obligations of the data protection officer
- To advise and participate in the preparation of the data protection impact assessments
- PLUS ALL THE FOLLOWING
- “GDPR Shield” Website software
- Data Subject Request Support
- Data Mapping
- GDPR Policies
- GDPR Procedures
- GDPR Checklist
- Data Breach Response Plan
- We are backed by a GDPR Lawyer
DPO GDPR Compliance Services
The monthly fee includes the fee for designation of the data protection officer for a company. The designation of the data protection officer is required by law as from 25 May 2018 the appointment obligation is regulated by Art. 37 GDPR. However, in New Zealand it is also law under s23 Privacy Act 1993 for all agencies to designate a Privacy Officer who is responsible for compliance with the Act.
According to Art. 32 (1) lit. d GDPR, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and, inter alia, a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
According to Art. 39 (1) lit. b GDPR, the data protection officer has a duty to monitor compliance with the GDPR, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including conducting periodic audits.
Art. 39 (1) lit. a and b GDPR require the data protection officer to train the employees of the controller. The online training must be taken annually by each employee of the client. Upon successful completion of the online exam, each employee will receive a data protection certificate valid for one year.
According to Art. 39 (1) GDPR, the data protection officer has at least the following tasks:
a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to the General Date Protection regulation and to other Union or Member State data protection provisions;
b) to monitor the compliance with the General Data Protection Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Art. 35 GDPR;
d) to cooperate with the supervisory authority;
e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Furthermore, data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the General Data Protection Regulation, Art. 38 (4) GDPR.
Art. 35 GDPR regulates the data protection impact assessment. According to this provision, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data, where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons. When carrying out a data protection impact assessment, the controller in accordance with Art. 35 (2) GDPR shall seek the advice of the data protection officer.
According to Art. 35 (7) GDPR, the data protection impact assessment shall contain at least the following:
a) a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
b) an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1 of Art. 35 GDPR, and
d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.
The monthly fee already includes advice and participation in the preparation of a specified number of privacy impact assessments each year. Your data protection officer will provide advice and participate in the preparation of data protection impact assessments. Our template for the implementation of the data protection impact assessment is protected by copyright and will be leased to the controller under the monthly fee.