Professional services group BDO has launched a service to help businesses in Jersey adopt and comply with new data protection rules.
On 25 May 2018, General Data Protection Regulation (GDPR) comes into force. This is a Europe-wide set of data protection laws designed to harmonise data privacy practice across Europe, protecting citizens and their personal data, and giving users more information about – and control over – how it is used.
GDPR calls for the mandatory appointment of a Data Protection Officer (DPO) in some instances for any organisation that processes or stores large amounts of personal data, whether for employees, individuals outside of the organisation, or both. A DPO’s responsibilities include training staff in data processing, conducting data audits, monitoring performance, maintaining records and serving as a point of contact between the organisation and the Office of the Information Commissioner.
Recognising the complexity of a DPO’s duties, but also the fact that it may not be a full-time responsibility, GDPR explicitly allows the role to be outsourced.
BDO’s service is designed for organisations that are perhaps too small to warrant an internal DPO permanent hire or may actually struggle to find someone suitably independent internally. For a transparent monthly fee, BDO will establish and maintain a governance framework for the organisation, carry out an initial and annual privacy audit, conduct an annual mapping exercise to track data that may have moved or been shared, record and handle all Data Subject Access Requests, report all Data Breaches, and train all data handlers, in person and using a bespoke eLearning platform.
Damon Greber, BDO’s Director of Risk Advisory Services, said: “We regularly carry out Data Protection Impact Assessments for clients so have identified common issues that organisations have with their GDPR preparations, which we can help them with. It is not a case of one size fits all, so businesses need to fully understand their own obligations and processes before they proceed. That can be a daunting task so that is why we have established this service. From charities and sole traders to large companies, every size and type of organisation could come under the scope of GDPR, depending on the amount of data they hold.”
Acting Information Commissioner Paul Vane said: “The law supports the outsourced DPO role so this new service from BDO is welcome. Other services are available, so it is important that organisations do their own due diligence to make sure whatever they opt for is appropriate. But certainly, outsourcing the DPO role could save an organisation a lot of time and money by handing over responsibility to specialists who will provide 24/7 cover and relevant training.”