According to the EU GDPR (www.eugdpr.org), if your organisation conducts personal data processes with sensitive data (data about healthcare, children, elderly people, ..) or about exposed data subjects (for example, employees, patients, candidates, etc.), or if you manipulate large volumes of personal data over the years, then your process is deemed as critical. You need to conduct a risk analysis called Data Protection Impact Assessment. If the result of this analysis shows that the risk to data privacy can be significant, then you need to have a Data Protection Officer.

The EU Commission, the European Data Protection Board, and each local Data Protection Authority (DPA) have given examples of personal data processes that are critical:

- processings that involve new technology (e.g. wearables, artificial intelligence, etc.)

- clinical trials

- any process manipulating healthcare data

- non mandatory human ressources processes (e.g. recruiting candidates, or annual rating of employees).

This list is not exhaustive.

If you fall in these categories, you need to conduct a DPIA for the relevant personal data processings, and you have a Data Protection Officer (DPO).

Per the EU GDPR, the DPO needs to be independant from the personal data processings. For example, it can't be the IT manager, or the quality assurance person, because in that case there would be a conflict of interest.

The EU GDPR allows organisations to designate an external DPO.

This person needs to have at least the 3 following capabilities:

- know the business where you are operating,

- be familiar with IT systems, best practices of IT security, internal audit methodology and data management

- be familiar with the regulations pertaining to your sector: in the life sciences sector, the DPO should know, in addition to the gereal obligations (e.g. marketing code of conduct, ePrivacy Directive, Work laws, security laws, Best practices of IT, etc.), the specific regulations, laws and guidancesto our industry at international, Eu, or local level: declaration of Helsinki, GXPs, CFR21, etc.

An external DPO is the best solution for small and mid-size organisations:

- you don't need to worry for the set-up of the DPO activity

- you get rid of all risks incurred with the compliance to EU GDPR or Privacy Shield

- you have a senior professional available via phone / email whenever you have a question, 24/7

Our packages start with a few hours per month.

All our external DPOs are experienced professionals, who have been working several years in the life science industry and comply with the 3 knowledges mentionned above.

See an extract of our team of DPOs on the 'Team' tab.

Remember that penalties are commonly around 20 000 Euros, and can go up to 20 million Euros or 4% of your sales revenue, whichever is the greatest. So it's better to pay a few hundred Euros each month and be compliant!

Remember also that Data Protection Authorities said that there will be no indulgence for small organisations. In the UK, a company with 2 employees got a penalty last year.

Feel free to contact us for a quote!