As an external data protection officer, you face the challenge of looking after several clients with different data protection organisations. Your clients expect a high quality of service. At the same time, you have to keep an eye on the economic efficiency of your offer. A professional, structured approach minimises conflicts between quality and efficiency. otris privacy – the tool for external data protection – supports you in this.
External data protection officers have excellent expertise with which they implement the complex data protection requirements for their clients. However, external DPOs are only successful if they have sufficient resources to offer a high quality of service at a reasonable price level. For both – service quality and efficiency – one thing above all is important: the expertise must be transferred into functioning processes. And functioning processes should, as best as possible, be applied in the same way for each client. What does this mean for practical work with otris privacy?
External data protection officers use otris privacy to map data protection processes that have proven themselves in their operational work.
A standard data protection organisation is created from the proven data protection processes, which the external data protection officer can use as a basic framework for each of his clients. With a few clicks, the external DPO creates the basic structure of a data protection organisation for each new client. This “recycling” of a proven structure ensures quality standards on the one hand: a newly created data protection organisation contains all the necessary basic elements as well as the DPO’s tried-and-tested methods and processes. In addition, established processes make it possible to start operational data protection work immediately. The external data protection officer and his or her staff are familiar with the structures and functions of the system – regardless of whether new clients are involved or the supervisor changes between mandates.
Our all-round solution for professional external data protection simplifies the control, documentation and reporting of your data protection work. If required, we integrate our Information Security Management System (ISMS) into the application.
Compared to internal DPOs, external DPOs have additional requirements for data protection software. In addition to multi-client capability, flexibility and adaptability play an important role. After all, the solution should map the client’s individual data protection organisation and at the same time integrate the proven processes and procedures of the external DPO. Also important: functions that simplify cooperation and communication with the client as well as a licensing model that takes into account the needs of external DPOs.
Of course, otris privacy is a multi-client capable system. External data protection officers use the solution to manage their clients at the highest level. For each client, the organisational structure can be mapped, including all holdings and subsidiaries. The external DPO controls read and write access via authorisations. For example, he can determine that his employees are only allowed to access the clients they are in charge of.
Cooperation on the VVT
The creation of the VVT is a time-consuming, complex task. As an external DPO, you have to rely on the client’s willingness to cooperate. otris privacy simplifies cooperation by providing a reporting and updating workflow. The external DPO sends web forms from the system to the process owners on the client side. The configurable form supports the person responsible in describing the process. After verification by the DPO, otris privacy transfers the information to the VVT. The system sends automated update reminders according to predefined criteria.
As they gain professional experience, external data protection officers refine their work processes. These include, for example, procedures for auditing and analysing processing activities. With otris privacy, external DPOs map their self-developed audit processes and checklists. Workflows define individual steps of a work process or specify the course of a release routine with the client.
Workflows not only help with customisation but also with automation. For example, the notification workflow simplifies the creation and maintenance of the processing directory, the data protection breach workflow enables rapid intervention in the event of data protection breaches, and the enquiry workflow sorts and channels enquiries from data subjects. Workflows are an adequate solution to improve the efficiency of repetitive tasks that need to be processed according to a uniform pattern.
As an external data protection officer, you also benefit from the easy scalability of the software: if you gain new clients, you can easily order additional client licences. With each additional client licence, you map the entire data protection organisation of a new client. If your client base shrinks, you can easily cancel the licences you no longer need by sending an e-mail notification.
Sublet the licence
With otris privacy, you create a data protection organisation that reflects the individual circumstances of the client and at the same time applies your know-how in the form of structures and processes. The otris licence conditions allow you to sub-let this service to the respective client as SaaS (Software-as-a-Service).
Three software editions are available to customise the basic functionality of the solution to your needs. With additional extensions, you can expand the solution to include the functions you need for your work as an external DPO. If the standard elements are not sufficient to cover your requirements, otris-Consulting implements individual solutions tailored to your needs.
Wizards and context-sensitive action menus are a special feature of the otris data protection software. The entry aids support the user in working through complex tasks step by step. The progress indicator shows the user where he is in the process. The tried and tested traffic light symbolism provides support for the many different control tasks in data protection.
Clients receive regular evaluations from their external data protection officer. The data required for a variety of reports – e.g. activity reports, action overviews, analysis reports, action planning, audit logs – is automatically documented by otris privacy. The compilation of the predefined data in reports and, if required, the sending to the client are also automated. All common output formats (PDF, HTML and CSV) are available for selection.
You can run the otris data protection software on your own servers (on-premises) or use it as a cloud application. Of course, we offer the cloud variant with a server location in Germany that meets all data protection requirements. In terms of the application and the user interface, both forms of operation (cloud and on-premises) are identical.
High service quality at manageable costs – that is what clients expect from external DPOs. In a complex environment such as data protection management, this client requirement quickly becomes a challenge. otris privacy supports you with practical functions and customisable processes to ensure that costs and quality do not become conflicting goals.
Adopting structures and processes
The structure of a data protection organisation that has been created once can be duplicated in otris privacy as often as you like. For each new client, you can therefore fall back on tried and tested structures and processes. In just a few steps, you can copy the basic structure and then adapt it to the circumstances of the new client. On the one hand, this type of recycling ensures quality by allowing you to adopt your tried and tested structures and processes. On the other hand, you can immediately start with the operational data protection work and thus save resources that would be required for the creation of a new data protection organisation.
Effective communication with clients is essential for external data protection. otris privacy simplifies this exchange through a wide range of functions. These include, for example, web forms that query the responsible parties on the client side about processing activities.
After the check by the external DPO, queries are sent to the client or the information is transferred to the VVT with a click. The entire process, including communication, comments and notes, is automatically logged by otris privacy. On the one hand, this improves transparency, but it also helps with activity records and service invoices.
Administration and management
otris privacy supports external DPOs not only in their operational data protection work. They can also process administrative tasks with the special software. This includes, for example, document management: from meeting minutes to the service contract to the appointment document, you manage all documents that belong to a mandate in otris privacy. The solution also helps you to track the workload for each client in order to create transparent invoicing. Evaluations support you in your internal controlling, but also help you to calculate services precisely and offer them competitively.
Which Data Protection Management Edition fits your requirements?
By selecting an edition, you determine the basic functional scope of your solution. The editions can be combined with the functional extensions to optimally adapt the solution to your company-specific requirements.
otris privacy STANDARD is a data protection management solution with which you:
With the otris privacy STANDARD edition, you can map a data protection organisation in a DSGVO-compliant way. We offer otris privacy STANDARD exclusively as SaaS (Software-as-a-Service) for rent.
otris privacy ENTERPRISE is a data protection management solution with which you:
With the otris privacy ENTERPRISE edition, you use functions that simplify cooperation with your clients and improve efficiency through reuse and inheritance. The system can be run on your company server or in the otris cloud.
otris privacy ENTERPRISE plus is a data protection management solution with which you:
The otris privacy ENTERPRISE plus edition is the group-capable, bilingual version of our data protection management solution. In external data protection, the software enables comprehensive support for group customers. The system can be operated on your company server or in the otris cloud.
With technical extensions you can increase the range of functions of your otris solution. You can combine the extensions with the ENTERPRISE and ENTERPRISE plus editions.
The notification/update workflow is the extension with which (external) DPOs accelerate and simplify the set-up and maintenance of the VVT. The DPO sends the controller (e.g. process owner) a web form directly from the system. The controller describes the processing activity by filling out the form. No special data protection knowledge is required to use the notification form. The controller sends the completed form back to the DPO, who transfers the information to the VVT at the push of a button or sends it back to the controller with comments / requests for additions. After a predefined period of time, the system can automatically send a request to the responsible person to clarify whether the processing description is still up to date. The controller can also open an overview of “his” processing operations and add or update processing operations. The DPO is informed of the change request by the system. The extension NOTIFICATION/UPDATE WORKFLOW includes the installation and set-up of the extension in addition to the standard web form for procedure notification. If desired, the workflow can be individualised by otris-Consulting.
The REQUEST WORKFLOW is an extension with which you can automatically record incoming requests in otris privacy and document the processing procedure. Internal (e.g. employees) and external (e.g. customers) enquirers can use an e-mail address or a web form including attachment. In both cases, the DPO can process the request directly in the system.
With the extension DATA PROTECTION VIOLATION, you (the employees of your client) provide a process with which internal data protection violations can be reported. Via a web form, the employee specifies the chronology, the categories of data affected and the groups of persons affected as well as the measures already taken. No special knowledge in the area of data protection is required to fill out the form. The completed form is sent to the predefined responsible office (e.g. external data protection officer). After a new breach notification is received, the system also sends a notification e-mail (recipient address can be freely selected during configuration). The report on the process is attached to the e-mail.