A question I was asked recently by a curious client was simply “What does a Data Protection Officer do?”. I gave them as much information as possible and sat with them to discuss the options they had going forward with regards to filling the role they needed. We chatted about whether they had somebody internal to fit the role, what training and knowledge that person would require, would there be enough work for them to justify the role full time and also the threat of the person walking away once trained up and finding a role at another company.
Data Protection Officers are in big demand, there is a shortage of them across the whole EU and well-qualified individuals are highly sought after and accordingly good ones don’t come cheap.
A Data Protection Officer (DPO), is responsible for GDPR compliance within an organisation. Organisations that employ over 250 employees, perform large-scale processing of personal data, or process special category data, are required to appoint a DPO. For other organisations that do not meet these criteria, the appointment of a DPO is still recommended as a ‘best practice’.
The DPO is seen as an extension of the Information Commissioners Office. He or she can be contacted by the ICO to provide information, and the DPO is to notify the ICO of any data breaches.
It is vital that whoever is appointed as your DPO (whether it’s an internal staff member or external) has the knowledge, support and authority to carry out their role effectively. This often means they need backing by the very highest level of management within the business, they need to be given the freedom to carry out their work without fear of being penalised.
Due to the skillsets needed regarding knowledge and competence, people with sufficient skills will be hard to find and in great demand. I’ve heard some advice being given by GDPR providers that the DPO role “cannot” be done internally as it breaches regulations but this is not true. The role can comfortably be done internally provided the person is not involved in making decisions about how data is processed, has independence, knowledge, and authority within the business to perform the role effectively.
Realistically many smaller businesses will not have enough work to justify a full-time DPO role and in these cases outsourcing, that function may well be their best option.
The DPO’s responsibility is to ensure GDPR compliance by managing the data register, conducting Data Protection Impact Assessments (DPIAs), and following up on security measures, agreements with processors and privacy notices. In addition, he or she has a number of other ‘continuous’ tasks, such as organising ‘security awareness’ sessions, investigating complaints and responding to questions regarding data privacy, conducting sample reviews regarding staff and third-party access, and checking logs.
Whatever your decision with regards to appointing a DPO, it is an important function within your company and needs to be treated accordingly.