Navigating the role of the Data Protection Officer

Life as a Data Protection Officer (DPO) can be challenging, with numerous tasks to complete and too few days in the week. Not only do you have to deal with day-to-day matters, but you are also responsible for strategy and governance, dealing with subject rights requests, internal reviews, assisting marketing and HR, and potentially, at some point, dealing with a breach! You may often feel stretched and in need of support. Don’t panic. Help is at hand. PwC has a range of services and support designed with your needs in mind.

Service areas


MyDPO is our suite of solutions and services designed to support organisations looking to evaluate, outsource or augment their data protection capabilities. Services can be selected individually or blended, giving flexibility to allow you to increase or decrease support as required. Our areas of support include:

Review and assess

We can help you understand points of weakness and strength across the full spectrum of your organisation’s Data Protection (DP) compliance activities including, running a completeness assessment workshop using our Completeness Assessment Tool (CAT), helping you to evaluate your Marketing and HR personal data life cycles or to evaluate how prepared you are to handle a breach through our Breach Readiness Assessment Tool (BRAT).

Strategy and governance

A key challenge in the GDPR live environment is optimising your DP operating and governance models. We can review, assess and design models to support and demonstrate accountability, enable you to leverage value appropriately from your personal data assets and enhance your brand’s reputation.

Day-to-day support

We can act as an extension of your DP Office giving you support on practical activities that are an inherent part of GDPR compliance, but which can be time and resource consuming. For example: managing your privacy mailbox, handling subject rights requests, supporting contract reviews, updating policies and providing help line support to your internal stakeholders.

Crisis support

We can provide advice and support at critical moments, such as when you have a request from a Regulator, an actual or suspected breach has occurred or when dealing with a potential class action.

Marketing data life cycle support

We can assist you in evaluating your end-to-end marketing data life cycle, focussing on four key stages in the context of GDPR and e-Privacy compliance, reviewing at each stage the rights of individuals and your obligations. The four key stages are as follows:

Stage 1 - Gather

We examine the route to acquiring personal data for marketing use, both directly and indirectly.

Stage 2 - Manage

Once the data is collected we review the processes in place to take care of the data used for marketing, including keeping it up to date.

Stage 3 - Use

We then examine how the data is used, in practice, for marketing purposes to see if it’s consistent with the scope set out in the original permission marketing.

Stage 4- Remove

Finally, we look at processes in place for observing any applicable retention policies, including removal of data from the marketing life cycle.

Completeness Assessment Tool (CAT)

Our Completeness Assessment Tool (CAT) is a gap analysis and benchmarking tool that helps organisations to understand their current state of maturity against the requirements of the GDPR, allowing you to make choices that are more informed over investment, risk management and prioritisation.

The CAT consists of 65 questions. We work through these with you during a 2-3 hour session, collecting information from functional representatives within your organisation who have knowledge of business processes and data protection governance practices, as well as how personal data is gathered and used. Examples of functions ideally represented are information security, legal, HR, marketing, risk and compliance.

How does it work?

The CAT assesses an organisation’s approach to the GDPR across a series of data protection domains. Each domain contains a number of questions that help determine an organisation’s maturity. It’s been designed to help businesses assess where they sit in relation to ‘good’ standards of compliance. The findings from the assessment can be used to help prioritise remediation and change activity, inform risk decisions, measure maturity over time or in different areas of the business, and can also provide sectoral insights and benchmarking.

Breach Readiness Assessment Tool (BRAT)

We’ve compiled all of our experience, methodology and insights into the Breach Readiness Assessment Tool (BRAT), which gives you a rapid insight into your organisation’s readiness for dealing with a personal data breach – including breach notification, adverse scrutiny and the aftermath. The BRAT quickly enables you to understand your organisation’s strengths and weaknesses and areas for improvement.

Through the delivery of a comprehensive report, we’ll provide findings and recommendations to help you develop a targeted and prioritised road map for further improvements to your Personal Data Breach Framework, which will include:

  • Domains: Principles (key elements of the data protection law and best practices) and Architecture (practical structures that need to be put in place within the organisation in order to deliver the Principles).
  • The Maturity Matrix and Benchmark which test your organisation’s readiness for dealing with personal data breach.
  • The legal map and applicable international frameworks (including GDPR articles, recitals, ISO 27001 and more).
  • Heat maps of results and contextual overview based on your organisation’s characteristics.

Privacy IQ

Privacy IQ is a tool designed to take the stress out of managing your GDPR requirements, delivering a single interface that combines a range of PwC offerings to enable a comprehensive overview and seamless automation of your compliance needs. It enables users to drive, monitor and evidence all data related activities.

For more information about Privacy IQ, check out our video highlighting its features.

Follow us