Data Protection Officer¶

The Data Protection Officer (DPO) is the named role responsible for our NDPA compliance posture. Mandatory designation for organisations of our processing scale (NDPA §32).

Current DPO¶

Name:
Email:
Phone:
Office hours:

When to contact the DPO¶

Any new processing activity that you're not sure has a clear lawful basis.
New third-party processor — before they go live.
A user makes a subject-rights request that the standard tooling can't fulfil.
Any incident that may have exposed personal data.
A regulator (NDPC or otherwise) makes contact.
A press / external enquiry mentions data protection.
An employee resignation that requires off-boarding access (DPO doesn't manage this directly but tracks compliance).

What the DPO does¶

Drafts and maintains policies under docs/policies/.
Reviews PRs in this repo that introduce new processing, lawful basis claims, or third-party processors.
Coordinates NDPC notifications (per incident-response.md).
Liaises with NDPC during audits.
Conducts annual reviews of the documented data inventory across all products.

What the DPO does NOT do¶

Engineering or operational work — those stay with the product teams.
Approving every PR — only those that change processing semantics or third parties.
Customer-facing support — routed through normal support.

DPO independence¶

NDPA + GAID require DPO independence in decision-making. The DPO reports to the CEO directly, not through any product team. The DPO has authority to halt processing they consider non-compliant pending resolution.