– From a few days per month to monthly assignment
– Usually a baseline set of days plus on-demand flexible visits
– On-call the rest of the time should any emergency command your DPO’s presence (such as a data breach)
– Complete immersion into your business from Day One
– Neither too techie nor too legal: the point is to resolve compliance issues with your business at heart first, not to be a GDPR naysayer at every turn
– Onsite visits, remote phone and video conferences, off site document review and reporting
– Both an adviser and a doer, your virtual DPO transforms a data privacy mandate into a customer experience enhancement, orchestrating your transition to GDPR full compliance :
STEP 1: Your virtual DPO spends a few days with you and your legal and IT teams to make sure the source and origination of any personal data is identified and documented. He reviews your current privacy notices and analyses them against GDPR.
STEP 2: He develops a Data Inventory of what, where, who, why, when and how your data is held, and collects information about your data processes and procedure, such as how you obtain user consent and how it is recorded and updated. He works with your teams to make sure every department is GDPR-aware (if not yet a privacy advocate). Once you’re almost set, he conducts an independent Privacy impact Assessment (GDPR, Article 33).
STEP 3: He works closely with your business executives and legal team, including outside counsel, to deploy operational privacy changes and procedures in order to implement GDPR new user rights, such as data deletion or modification (right to be forgotten or right to access and modify) or data export (right to request one’s personal data in easily readable format). He suggests GDPR-motivated changes to your incident response plan (or helps you set up one) and runs tabletop exercises against the (unrealistic) 72-hour data breach notification GDPR obligation.
STEP 4: He conducts a set of reporting activities throughout his mission such as monthly operational reviews, GDPR compliance ongoing assessment, periodic personal data mapping and process report. He assures privacy training of your personnel via online video sessions, both live and on-demand for more flexibility. He acts as your lobbyist and first point of contact with the main EU data protection regulators (the French “CNIL”, the UK “ICO”, the German “BDSG”, etc…)