Data Protection Officer

We can act as the DPO for your organisation

Who should appoint a DPO?

Under the General Data Protection Regulation (yes, the GDPR again!) you must appoint a DPO if:

  • You are a public authority or body;
  • Where core activities require large-scale, regular systematic monitoring of individuals;
  • Where core activities consist of large-scale processing of special categories of data or data relating to criminal convictions and offences. 

However, it should be noted that it is strongly recommended for all organisations to appoint a Data Protection Officer to show customers, suppliers and other interested parties that you take the protection of personal data seriously.

Who should be appointed as DPO?

There are several options to consider when deciding who your organisation could appoint as DPO:


Do nothing! If your organisation doesn’t fall into the definition of a mandatory category for a DPO within the GDPR you could decide not to appoint one at all.


    Appoint someone internally. If the GDPR makes it mandatory to appoint a DPO, or you’ve decided it makes sense for your organisation to have one, you can look to appoint an existing employee.

Key Points to note:

  • In order to perform the role a DPO should be appointed primarily based on their:
    • Professional qualities
    • Experience
    • Expertise in data protection law.
  • If your current workforce does not contain an expert in data protection, we wouldn’t recommend appointing from within.
  • You must also ensure when appointing someone internally that there is not a conflict of interest as a DPO needs to perform his or her duties independently and impartially.
  • Therefore, they should not be already employed in an executive capacity.

    Recruit a dedicated DPO. Given this would be a dedicated role it tends to be an approach which is favoured and considered viable only by larger organisations or ones that fall into the ‘mandatory’ categories.


     Outsource the role. There are many third-party services that offer access to an external Data Protection Officer (or virtual Data Protection Officer):

  • This can be an affordable and practical approach.
  • It is up to you to decide what would be the best fit for your organisation.
  • We would however recommend that the same level of care and rigour is applied during the evaluation of potential suppliers during this process.
  • There are many ‘one-man bands’ that have sprung up and invariably don’t have either the:
    • Strength in depth or,
    • Expertise that you require. 

An outsourced DPO Service should deliver at least the same professional qualities and specific experience as when selecting a dedicated individual for the role.

Why choose ThinkMarble's DPO service?

ThinkMarble’s DPO as a Service (DaaS) is offered in two packages:-

  • DaaS Basic
  • DaaS Premium

DaaS Basic Service

Suitable for organisations that:

  • Require only limited access to information and advice around data protection; and/or
  • Do not provide/sell a product or service directly to ‘consumers’/general public and therefore handling personal data; and/or
  • Do not require emergency access to advice in the event of a data breach.

Outcome and Benefits

  • Practical and cost-effective solution for GDPR compliance; and
  • Access to an independent DPO team, avoiding potential conflicts of interest; led by
  • A qualified solicitor with expertise in data protection law & practice.

DaaS Premium Service

Suitable for organisations that:

  • Require regular access to information advice and guidance about data protection law; and/or
  • Provide/sell a product or service directly to ‘consumers’/general public; and/or
  • Require immediate access to advice in event of a data breach; and/or
  • Are handling special category data and/or financial data about individuals; and/or
  • Use or are planning to use new technology; and/or
  • Transfer personal data outside the UK/EEA; and/or
  • Would otherwise employ an in-house DPO; and/or
  • Rely on multiple 3rd party providers to deliver a service or product; and/or
  • Require robust data protection provisions in their contracts.

Outcome and Benefits

  • A bespoke service aligned to the requirements and operation of your business
  • All the benefits of having a full-time in-house DPO for approximately a quarter of the cost; and
  • Access to an independent but fully engaged DPO team, avoiding potential conflicts of interest; led by
  • A qualified solicitor who is an expert in data protection law & practice.
  • Simple monthly fee for ALL your data protection and GDPR compliance needs.
  • Basic
  • Premium
From £1,49500
Access to dedicated support from lawyer-led DPO team regarding information, advice and guidance on GDPR compliance.
Annual review of personal data processing activities to monitor and ensure compliance with the GDPR.
Interface with ICO for all data protection issues.
Access to template policies and other data protection documentation.
Access to up to 10 webinars per year on the latest data protection news and developments.
Quarterly report of activities and use of service to help you better understand your strengths and weaknesses and measure value for money.
Monthly report of activities and use of service to help you better understand your strengths and weaknesses and measure value for money.
Service availability hours - Mon-Fri 9:00 - 17:30 excluding public holidays.
Service availability hours - 24/7
Remote ‘familiarisation’ meeting to better understand your organisation and how it processes personal data.
On-site ‘familiarisation’ meeting to better understand your organisation and how it processes personal data.
Advice credits per month (email, telephone).4 (additional billed monthly in arrears)Unlimited
Legal advice about GDPR/data protection aspects of legal contracts and review of any existing key data protection related policies.*
Access to GDPR GAP analysis and portal.
Access to ThinkMarble's online GDPR training Syllabus.
Tailored GDPR training on-site.**
Cyber Security Threat Assessment.
Quarterly external vulnerability management scan.
Contact usContact us

*Privacy, data protection or retention policies. 

**Up to 2 training days onsite per annum. Additional days can be requested at an additional cost. 

What to do next?

If you feel like you want to learn more about ThinkMarble’s Data Protection Officer service, or you’d like to talk to someone about purchasing the service, please fill out the contact form below and one of our experts will be in touch.

WordPress Lightbox Plugin