top of page

Privacy As a Service

Did you know that privacy regulations allow you to work with trusted partners to maintain privacy compliance? At Astrum we can act as your Data Protection Officer, Privacy Officer or Privacy Contact Officer helping you assess new initiatives, conduct health checks, privacy impact assessments, work with your partners, and respond to data access requests. 

GDPR Data Protection Officer (DPO) 


The Data Protection Officer (DPO) is a key role in achieving and maintaining GDPR compliance. The DPO’s tasks are defined in Article 39 as: 

  • To inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws; 

  • To monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits; 

  • To advise on, and to monitor, data protection impact assessments; 

  • To cooperate with the supervisory authority; and 

  • To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc). 

GDPR permits the role of the DPO to be fulfilled by an appropriately qualified person from outside the organisation based on a service contract. 


Source: Regulation (EU) 2016/679 (General Data Protection Regulation), Chapter 4 (Art. 37-39) 

message on keyboard enter key, for privacy policy concepts.jpg

Privacy Officer (PO) / Privacy Contact Officer (PCO)


The Australian Privacy Principles (APPs) do not explicitly require businesses to appoint a Privacy Officer, however under various APPs business are required to:

  • Have a clearly expressed and up-to-date APP Privacy Policy

  • Provide individuals with access to personal information

  • Correct personal information 

  • Deal with deal with privacy related inquiries and complaints

These functions are usually performed by a dedicated Privacy Officer.

The Office of the Australian Privacy Commissioner strongly encourages government agencies to appoint a Privacy Contact Officer (PCO) as the first point of contact for advice on privacy matters related to their agency. 

Generally, the role of the PCO includes:

  • Participating in the development of new initiatives that have a potential privacy impact

  • Providing advice on the general application of the Privacy Act 1988 (Privacy Act) to new agency initiatives or to the agency's general operations

  • Handling, or supervising the handling, of privacy complaints and enquiries

  • Training staff in aspects of the Privacy Act that apply to their day-to-day activities

  • Being the primary privacy contact for the Office of the Australian Information Commissioner.


•    Australian Privacy Principles guidelines, the Office of the Australian Information Commissioner, March 2015;
•    The role of the Privacy Contact Officer in Australian government agencies, the Office of the Australian Information Commissioner <>


GDPR Privacy Impact Assessment 


The instrument for a privacy impact assessment (PIA) or data protection impact assessment (DPIA) refers to the obligation of the controller to conduct an impact assessment and to document it before starting the intended data processing. 

The requirement to carry out a DPIA applies to existing processing operations likely to result in a high risk to the rights and freedoms of natural persons and for which there has been a change of the risks, considering the nature, scope, context and purposes of the processing. Moreover, a DPIA could be required after a change of the risks resulting from the processing operations, for example because a new technology has come into use or because personal data is being used for a different purpose.


Source: Regulation (EU) 2016/679 (General Data Protection Regulation), Chapter 4 (Art. 35) 

Privacy Impact Assessment (PIA)


The APPs require ‘privacy by design’, an approach whereby privacy compliance is designed into projects dealing with personal information right from the start, rather than being bolted on afterwards. 
A Privacy Impact Assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. Conducting PIAs helps entities to ensure privacy compliance and identify better practice.

Potential benefits of undertaking a PIA include:

  • Ensuring that the project is compliant with privacy laws;

  • Reflecting community values around privacy and personal information in the project design;

  • Reducing future costs in management time, legal expenses, and potential negative publicity, by considering privacy issues early in a project;

  • Identifying strategies to achieve the project’s goals without impacting on privacy;

  • Demonstrating to stakeholders that the project has been designed with privacy in mind;

  • Promoting awareness and understanding of privacy issues inside the organisation or agency;

  • Contributing to broader organisational or agency risk management processes; and

  • Building community awareness and acceptance of the project through public consultation.


Source: Guide to undertaking privacy impact assessments, the Office of the Australian Information Commissioner, May 2014

bottom of page