Data Protection Officer for Hire
A designated DPO that works alongside your team at a fraction of the cost of hiring an internal DPO

Who Needs a DPO?
Any organization that collects, uses, discloses, or stores personal information from external sources, including customers and employees. Some examples include:
- Government
- Public bodies
- NGOs/ IOs
- Businesses that process data
Our DPO for Hire Service includes:
Audit
Audit
Advice
Advice
Liaise
Liaise
Train
Train
Achieve Compliance
Achieve Compliance
Common Compliance Standards
The General Data Protection Regulation (GDPR) is a regulation that requires businesses to protect the personal data and privacy of EU citizens for transactions that occur within the European Economic Area.
Who needs to be GDPR compliant?
Any entity that collects or processes the personal data of EU residents must comply with the regulation.
Law 25 (formerly Bill 64), An Act to modernize legislative provisions as regards the protection of personal information (Private Sector Act), is the new privacy legislation passed in Quebec, Canada. It aims to improve transparency, increase the level of data confidentiality and reinforce consent requirements.
Who needs to be Law 25 compliant?
All private sector companies in the province of Quebec and any businesses based outside of Quebec but doing business in that province will need to comply with Bill 64.
CCPA is the California Consumer Privacy Act. It is modelled after the GDPR.
Who needs to be CCPA compliant?
All companies that serve California residents and have at least $25 million in annual revenue must comply with the law.
California Privacy Rights Act (CPRA) strengthens enforcement of the CCPA. It allows any California consumer access to personal information a company has saved on them.
Who needs to be CPRA compliant?
All companies that serve California residents with gross revenue in excess of $25 million, that collect personal information of 100,000 or more, or derive more than 50% of their annual revenue from selling California resident information will have to comply.
British Columbia’s Personal Information Protection Act (PIPA) sets out the ground rules for how private sector and notfor-profit organizations may collect, use or disclose information about you.
Who needs to be PIPA compliant?
PIPA applies to all organizations and to all personal information held by organizations unless PIPA says that it does not apply.
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law relating to data privacy and contains various provisions to facilitate the use of electronic documents.
Who needs to be PIPDA compliant?
PIPEDA applies to federal works, undertakings or businesses (FWUBs). PIPEDA applies to the collection, use and disclosure of personal information in the course of a commercial activity and across borders. PIPEDA also applies within provinces without substantially similar private sector privacy legislation.
Why Work With Kobalt.io

Cost-Efficient

Minimize Your Own Liability and Risks

Maximize Productivity

Accessing Industry Experts

Satisfy Independent Requirements

Faster to Appoint
One-year Road Map to Compliance
ASSESS & IMPLEMENT
Conduct gap analysis or privacy impact assessment (PIA) , data mapping on systems that handle personal information (PI) / personal identifiable information (PII), identify and establish program controls
PLAN & RESPOND
Gap analysis remediation, create privacy breach response protocol, act as primary internal contact for privacy-related queries
EDUCATE & UPDATE
Deliver tailored privacy education and training, work with legal counsel (as required) , Advocate privacy within the organization, provide updates on changes to privacy legislation
REPORT & RECOMMEND
Update gap assessment report with remediation and findings, act in an advisory capacity
ONGOING SERVICES
- Represent the organization in the event of a complaint investigation by a privacy commissioner’s office
- Respond to privacy breaches, advise the business on courses of action
Our Privacy Lead

Ritchie Po
Ritchie Po holds both Canadian (CIPP/C) and European (CIPP/E) privacy officer designations from the International Association of Privacy Professionals. Additionally, he is a lawyer called to the British Columbia bar, and often acts as a legislative consultant.
According to regulator recommendations, businesses should appoint a staff member to manage compliance. Your organizational structure will determine who should handle this, so consider who is in the best position to address privacy compliance requirements.
A DPO is a person who is officially in charge of data compliance and protection within a company. The person in question can be a staff member of the company or an outside expert or consultant. With the introduction of new regulations under GDPR, many businesses—but not all—will be required to name a DPO.
Article 37 of the Regulation states that a DPO must be appointed if:
- the relevant data processing activity is carried out by a public authority or body
- the core activities of the business involve regular and systematic monitoring of individuals on a large scale; or
- the core activities of the relevant business involve processing of sensitive personal data or data relating to criminal convictions, on a large scale.
If you conclude that your business needs a DPO to stay on the right side of the law, do you have to appoint someone externally? Not necessarily. A DPO can be an existing employee and for many businesses it will be possible to combine this formal role with other duties.
The DPO may be a dedicated full-time privacy officer, or the responsibilities may be assigned to your CIO, CTO, Human Resources, or legal counsel.
However, it is essential that the DPO possess a solid understanding of data protection law and best practices as the resident subject matter expert. Your DPO must also be able to communicate unimpededly with the highest level of management.
The person (or business) that determines which personal data is gathered and why, is known as the data controller. The individual (or business) that handles data processing on behalf of the data controller is known as the data processor. Processors are only permitted to process personal data in the presence of a signed contract that specifies the purposes and boundaries of the processing activity.
The “person” or entity that collects and retains personal data, or the “data controller,” is deemed to be a custodian and is therefore responsible for adhering to data protection laws. The definition of “person” is expansive and may be a human, an organization, or a business. To take a proactive approach to ensuring data protection compliance, you must designate a data protection officer and design a privacy management program. However, your company—not the data protection officer—will ultimately be responsible for any violations of data protection laws. As a result, you ought to select a data protection officer who is equipped with the knowledge and tools needed to carry out their duties.
Under the GDPR, you must hire a data protection officer (DPO) if you are a public organization, if your primary operations entail monitoring people, or if you process sensitive data or personal information about criminal convictions and offenses. The DPO’s responsibilities will include:
- Training workers on compliance and data protection audits as well as their responsibilities
- Monitoring compliance and ensuring there are data protection policies in place
- Giving guidance on the GDPR’s mandated data protection impact assessments
- Co-operating with the privacy regulator(s) and acting as its point of contact