https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10464#M474 <P>Dear Newcomer,</P><P>&nbsp;</P><P>since I am not a lawyer, I can't tell you if it is legally rquired for that business. But from my practical experiance (in Germany) apointing a DPO is seen very positive by customers and their DPOs here. It is common practice that these DPO's are very often external Consultants in many cases from organistions with good reputation such as the TÜV. They have a good knowöedge of what companies and governments expect in their country (and there are some differences as I had to learn in the past). Their charges are reasonable, mostly based on effort.</P><P>Especially in a phase where customers come up with all sort of questions and contract templates they obtained from the web, some advise can only be an advantage. When this type of issues decreases, you can always reduce the consultany.</P><P>&nbsp;</P><P>I hope that helps, if practical information from Germany is needed, drop a line.</P><P>&nbsp;</P><P>Kind regards,</P><P>oms</P><P>&nbsp;</P> Sun, 20 May 2018 15:40:12 GMT oms 2018-05-20T15:40:12Z https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/7382#M304 <P>Hello All,</P><P>&nbsp;</P><P><SPAN>Would appreciate if those who are familiar&nbsp;with&nbsp; DPO aspects could provide some guidance.</SPAN></P><P>&nbsp;</P><P>GDPR states the following regarding DPO requirement.:</P><P>&nbsp;</P><DIV>"Virtually all public sector bodies will be required to designate a<SPAN>&nbsp;</SPAN><SPAN class="il">DPO</SPAN><SPAN>&nbsp;</SPAN>under the<SPAN>&nbsp;</SPAN><SPAN class="il">GDPR</SPAN>.&nbsp;</DIV><DIV>When it comes to the private sector, the<SPAN>&nbsp;</SPAN><SPAN class="il">GDPR</SPAN><SPAN>&nbsp;</SPAN>introduces a limited mandatory<SPAN>&nbsp;</SPAN><SPAN class="il">DPO</SPAN><SPAN>&nbsp;</SPAN>requirement.&nbsp;</DIV><DIV>Controllers and processors will only be required to designate a<SPAN>&nbsp;</SPAN><SPAN class="il">DPO</SPAN><SPAN>&nbsp;</SPAN>if their core activities consist of:&nbsp;</DIV><DIV>i. processing operations which, by virtue of their nature, scope and/or purposes, require regular and&nbsp;</DIV><DIV>systematic monitoring of data subjects on a large scale; or&nbsp;</DIV><DIV>ii. processing on a large scale of special categories of data or data relating to criminal convictions and offences. "</DIV><DIV>&nbsp;</DIV><DIV>A SaaS provider offering solutions to end users in the EU (through their orgs) will not be coming under the two core activities mentioned above. If the PII collected is minimal without any payment instrument data or health-related information, would appointing a DPO be useful to demonstrate further compliance to GDPR?</DIV><DIV>&nbsp;</DIV><DIV>Additionally, if it would be better to have a DPO in a member state where the provider conducts most business (i.e., the state where the supervisory authority for GDPR will be), can a consultant in that state would do? If the DPO is a person in the US, not sure how that will fly with different member states.</DIV><DIV>&nbsp;</DIV><DIV>Thanks in advance.</DIV> Thu, 15 Feb 2018 03:44:54 GMT https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/7382#M304 2012 2018-02-15T03:44:54Z https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/7390#M305 <P>The Article 29 working party group has guidance on appointing a DPO but it's mostly focused on the role:</P><P>&nbsp;</P><P><A title="Article 29 WP advice" href="http://ec.europa.eu/newsroom/document.cfm?doc_id=44100" target="_blank">http://ec.europa.eu/newsroom/document.cfm?doc_id=44100</A></P><P>&nbsp;</P><P>It does express a preference for EU based DPOs but it's not mandatory.</P><P>&nbsp;</P><P>It's very difficult to comment further without more clarity on the data you are storing - the "large scale and systematic" part of the storage will be the key issue. If you're storing for example name, address, email, phone number for 1000s of data subjects in the EU for your customers, you'd almost certainly be seen as needing a DPO.</P> Thu, 15 Feb 2018 11:12:05 GMT https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/7390#M305 Steve_D 2018-02-15T11:12:05Z https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/7446#M307 <P>Thank you for your response.</P> Fri, 16 Feb 2018 16:25:47 GMT https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/7446#M307 2012 2018-02-16T16:25:47Z https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10368#M467 <P>See WP29 WP243 opinion and the related FAQs.</P><P>&nbsp;</P><P>It is considered good practice by the WP29 to appoint a DPO on a voluntary basis even if the 3 conditions in article 37 are not met.&nbsp; I'd suggest as SaaS supply may be processing personal data of many client therefore needs to carefully consider documenting any decision not to appoint a DPO.&nbsp; If the EEA country is Germany you will have to appoint a DPO as national legislation requires it.</P><P>&nbsp;</P><P>A consultant on a service contract in the relevant country would be acceptable under GDPR.&nbsp; It will be more difficult to argue that a DPO in the US has the relevant experience of EU jurisdictions, is fluent in the relevant languages and is easily contactable given time zone differences etc.</P><P>&nbsp;</P><P>Steve</P> Wed, 16 May 2018 13:57:44 GMT https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10368#M467 Steve-Wilme 2018-05-16T13:57:44Z https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10464#M474 <P>Dear Newcomer,</P><P>&nbsp;</P><P>since I am not a lawyer, I can't tell you if it is legally rquired for that business. But from my practical experiance (in Germany) apointing a DPO is seen very positive by customers and their DPOs here. It is common practice that these DPO's are very often external Consultants in many cases from organistions with good reputation such as the TÜV. They have a good knowöedge of what companies and governments expect in their country (and there are some differences as I had to learn in the past). Their charges are reasonable, mostly based on effort.</P><P>Especially in a phase where customers come up with all sort of questions and contract templates they obtained from the web, some advise can only be an advantage. When this type of issues decreases, you can always reduce the consultany.</P><P>&nbsp;</P><P>I hope that helps, if practical information from Germany is needed, drop a line.</P><P>&nbsp;</P><P>Kind regards,</P><P>oms</P><P>&nbsp;</P> Sun, 20 May 2018 15:40:12 GMT https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10464#M474 oms 2018-05-20T15:40:12Z https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10465#M475 <P>Dear 2012,</P><P>&nbsp;</P><P>I am sorry, that was my first post here. I just realized that "Newcomer" is just the "level".</P><P>&nbsp;</P><P>Kind regards,</P><P>oms</P> Sun, 20 May 2018 15:57:08 GMT https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10465#M475 oms 2018-05-20T15:57:08Z https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10494#M477 <P>No problem, the tags newcomer, contributor etc are a bit strange.&nbsp; Thanks for the feedback though.&nbsp; I was aware that in a German context the role of the DPO was long accepted.</P><P>&nbsp;</P><P>Steve</P> Mon, 21 May 2018 06:59:18 GMT https://community.isc2.org/t5/Privacy/Advise-on-designating-a-Data-Protection-Officer-DPO-for-a-US/m-p/10494#M477 Steve-Wilme 2018-05-21T06:59:18Z