The Data Protection Officer (DPO)

When speaking about the Data Protection Officer (DPO), one could draw some parallel towards the Quality Assurance Responsible within a corporate context.
The DPO main goal is to ensure corporate compliance towards GDPR.
Now, this does not mean that the DPO should be the one to “make the company compliant”, yet he/ she is the one who bears the responsibility of tracking corporate status, events, and incidents. So, what is expected from a DPO then?
Well, the DPO has the following roles/ responsibilities and requirements (as per defined under GDPR) and he/ she may either be an internal resource or an external service:​

  • The DPO MUST report directly to the Board of Managers, the General Manager or the CEO – the DPO must act with full independence and free of potential influences and constraints inherent to being included in one specific operation are or department.
  • Notwithstanding the previous point, a DPO may have other responsibilities in the company, as long as those do not constitute a conflict of interests before GDPR not do they collide with the independence that must characterize the role of DPO.

  • The DPO must be knowledgeable about corporate structure and Core Business/ Service Catalog – the DPO will monitor and enforce GDPR compliance towards a given company and its Service Catalog, that implies the need of being knowledgeable about how the company works at all levels, ranging from clients to services and products, operational areas and processes as well as partners.

  • The DPO must be involved in the initial phase of the compliance establishment process, meaning the Data Protection Impact Assessment or GDPR Compliance Project, for only in doing so will he/ she be fully aware of corporate status as well as which initial non- conformities were there and how those have been mitigated.

  • The DPO is a role which requires support from 3rd party skill sets, the likes of IT; Legal; HR; Business Consulting; Data Governance and depending on Corporate Core Business, other which may include Digital Marketing; Cybersecurity; and so on …

    The DPO is the responsible element (central point of contact) for receiving and making sure that proper answer is provided to the Data Subjects when these interact with the company while exercising their rights and/ or inquiring about corporate Personal Data processing activities. However, the DPO is not liable for corporate non-compliance towards GDPR unless it directly derives from his/ her actions/ lake of action. The DPO shall deliver/ assure the following tasks:
To be aware of GDPR and accessory legislation and advise the company (Board; Managers and Staff) on how to act while aligned with posed requirements
To answer to provide advice and answer any doubts (case scenarios) posed by the managers and staff under GDPR context
To monitor corporate compliance both by performing and documenting regular operational audits (over policies and processes applicability) as well as the IT Landscape, plus Training to both new onboard staff as well as recycling knowledge among staff members
To be the interface towards the Supervisory Authority, and partner companies with regards to GDPR.

AMS Experts DPO Services:

Incident Management

  • Registry – to keep an updated log of Personal Data incidents including Data Breaches
  • Workflow (lawyers/ Tech area/ HR/ … ) – to assure the required workflow between relevant Departments/ areas of expertise upon a Personal Data incident
  • Reporting – promote corporate awareness as well as towards partner companies in case of Personal Data incidents or Data Breaches
  • A formal submission to the Supervisory Authority – timely informing the Supervisory Authority in case of a Data Breach


  • Planning and Scheduling/ alerts – Define a continuous audit plan to monitor corporate compliance towards GDPR
  • Editing – to work the information that results from such audits, defining needed actions
  • Feedback/ reports/ Follow-up actions – to follow-up on established actions fulfillment

Data Subject’s Interface

  • Receiving and prioritizing – to handle Data Subject’ interactions with the company as the single point of contact and centralizing workflow pivotal element, including complaint management.
  • Feedback – to answer Data Subject’s inquiries and contacts towards the company within the scope of Personal Data treatment by the company and its partners

Staff Support

  • Support the company staff with regards to daily doubts which may arise towards Personal Data Treatment, in fact, continuous coaching under GDPR context.This implies having a work methodology in place which enables the DPO to:
  1. Registry – register received requests
  2. Prioritization – establish priorities and monitor them
  3. Counseling (pre-defined answers) – have an FAQ list which can easily be used to address common doubts
  4. Review and Edit – Be able to easily and quickly Edit and Review existing processes; answers; policies; other …
  5. ​Forwarding answer – manage communication channels depending on relevancy by mail, SMS, publishing it on the corporate website, other…

Updates to the Law

  • Registry – register updates to both GDPR as well as relevant accessory legislation
  • Distribution lists management – Define and manage distribution lists, ensuring that adequate and relevant new information timely reaches relevant staff members (e.g. one change that impacts Marketing will immediately be forward to relevant staff from Marketing; Communication and Membership management Departments)
  • Edit – Update and add new relevant content/ information (including creating new distribution lists)
  • Forwarding answer (mail, SMS, publishing it on corporate website) – manage communication channels depending on relevancy by mail, SMS, publishing it on the corporate website, other …


  • Content Definition – defining adequate content for a given training need
  • Library – manage and update a training content library under GDPR
  • Scheduling – manage the training sessions scheduling
  • Status tracking (Done/ Open) – follow-up/ track and tracing on open training actions, doubts and content points
  • Providing Training over GDPR and inherent Tests – either by him/ herself or resorting to training experts
  • Tests and results management/ definition of additional actions
  • Tests evaluation (auto and enabling editing)
  • Feedback to trainees and heads of the inherent Departments/ area

For more information, contact AMS Experts’ GDPR Support