
Data Protection Officer
The GDPR and Data Protection Act 2018 (data privacy legislation) requires several specific provisions be in place for a business which consider proactive and reactive data privacy adherence. To assist a business in nominating the responsibility for guidance and advice onto a role, emphasis has been placed on the Data Protection Officer (DPO). In some cases, this role is mandated.
If mandate does not apply it is still advisable to carve out the proactive and reactive duties of the role and position those appropriately with individuals, be that internal or external resource:
Proactive
The proactive duties that should align to data privacy legislation are as follows:
- Keeping updated on data privacy legislation
- Informing the business or organisation of updates to data privacy legislation
- Assessing risk for any significant projects/changes that may require Data Privacy Impact Assessments (DPIA)
Reactive
The Data Protection Officer has a requirement to be available at any time in a reactive capacity for situations such as:
- Breach incident, where a breach has occurred and needs to be assessed, managed and reported upon
- Data Subject Access Request (DSAR), where a request has been received by a Data Subject (you or I) to do something with the data you hold on them (disclose, delete, rectify, etc)
The Regulation allows organisations to outsource the DPO role to an external provider. With a shortage of individuals trained to handle DPO responsibilities, outsourcing these tasks and duties can help organisations address the compliance demands of the data privacy legislation while staying focused on its core operation.
In most cases, where mandate does not apply for the provision of an official Data Protection Officer, Black Penny recommend the use of the Data Protection Office concept and an outsourced Data Protection Officer. This has the added benefits of avoiding internal conflict of interests and a broad experience of data privacy across multiple business sectors.
Data Protection Office
DPO as a service is a practical and cost-effective solution for organisations that don’t have the requisite data protection expertise and knowledge to fulfil their Data Protection Officer obligations under the GDPR.
By outsourcing DPO tasks and duties to Black Penny Consulting, you get access to expert advice and guidance that helps you to address the compliance demands of the GDPR while staying focused on your core operation.
The basic concept behind the Data Protection Office is the attribution of the duties of the Data Protection Officer across several individuals, creating a shared responsibility model for awareness and governance.
The structure of a Data Protection Office is crucial, whilst there is no mandated structure, the basic proactive and reactive principles need to be catered for.
In large complex hierarchical structures, it makes sense to draw out Data Protection Office Champions. These Champions act as the conduit between the organisation and the outsourced Data Protection Officer within Black Penny Consulting.

Service Overview
Black Penny have constructed the Data Protection Officer as a Service model around a proactive and reactive approach. With the conduit layer of the company champions, Black Penny can offer a commercially viable service that benefits from economies of scale with the continuity of a Data Protection Officer service.
As part of an annual subscription service, the organisation will be assigned a dedicated DPO who will serve as an independent data protection expert as set out in the GDPR.
Black Penny have modelled the service to include a reactive response for both Breach Incidents and complex Data Subject Access Requests alongside proactive governance for legislation updates, Champion awareness and education collateral updates.
Benefits of an outsourced Data Protection Office
- Cost effective way to procure a Data Protection Officer
- Access to independent expertise and advice with cross sector experience
- No conflict of interest between the Data Protection Officer and the business
- Best practice guidance aligned to the GDPR
Service | |||
---|---|---|---|
GDPR/DPA 2018 Gap Analysis & Remediation Planning | ![]() | ||
GDPR/DPA 2018 on boarding | ![]() | ![]() | |
The Compliance Space Access | ![]() | ![]() | ![]() |
12 Hour Breach Response | ![]() | ![]() | ![]() |
Ongoing training as required | ![]() | ![]() | ![]() |
Complex DSAR Assistance/ Minor Breach | ![]() | ![]() | ![]() |
Annual Report | ![]() | ![]() | ![]() |
Day(s) remote | |||
Day(s) with Client Onsite |
