Since a Data Protection Officer (DPO) has an official function in your organization (and thus also appears on the org-chart), his duties, tasks and rights as well as conditions must be regulated. In the case of external DPOs, an "order contract" (a mixture of service contract and work contract) is concluded. The order then becomes effective when you receive your order deed.
This is always the 3rd Mind Business Consulting GmbH.
Regularly, the introduction of a DPMS according to EU GDPR in medium-sized environments takes about 1-2 years, which is an empirical value. It can also be faster, depending on the size and business area - and your time.
This is usually the managing partner himself with over 20 years of experience. He is also the principal vehicle of necessary and complementary person certifications.
So as "stand-alone consulting", we are approaching the project "DPMS" in a proven and more than 10 years continuously developed structure so there are no gaps remains (and therefore attack points). Starting points are planned appointments with you, definition of the time and resource goals (the "quality goals" are already given by law) and then an audit of your organization and your procedures with personal data. At the same time you create your "client file" with all the necessary sections in the DSMS, which are then gradually filled according to the result of the audit and your daily business, ideally mirrored in your systems. So it goes to the "work".
Of course, that works. It then runs according to your wishes as a pure consulting project under your responsibility, as a service project (eg under delivery of contracts for an Order Data Processing), or a mix of both. Or as "coaching", if you want to use an internal DPO, for example, but this is still very inexperienced and you want to make sure that everything runs smoothly right at the beginning (because you as the "Controller"remains responsible for a DPO).
Under the usual conditions of contract law (notice periods, etc.), you can of course terminate the contract and, for example, switch to a pure consultation - or simply let it expire. However, in both cases, the effective DPO order acc. Art. 37 GDPR (38 BDSG) ends, the previous order deed becomes invalid. Thus, this makes sense regularly in cases in which we "new" internal DPO and should take over later. For example, 3rd Mind is available to you as a "cavalry" ;-)
Oh yes - a lot; even if 3rd Mind would bring you significant relief.
But to not stretch this point we recommend you to contact us for a first tetative appointment on your site.