What you really need to know about the EU GDPR (Part 3) - Do you require a DPO?
We’ve reached the final post of NW Security’s three-part blog series helping local businesses get to grips with the impending EU GDPR. This post discusses the requirement for many organisations to appoint a Data Protection Officer (DPO) under the EU General Data Protection Regulation (GDPR), and highlights the experience needed for those who will fill the role.
As of 25th May 2018, many organisations will be required to appoint a DPO under the new EU GDPR. And it is here that we encounter the first sticking point; is your business one of those that needs to fill this position?
Does my business require a DPO?
It is recommended that to help alleviate a potential regulatory headache and avoid fines that could severely impact a business’s finances, every organisation should consider appointing somebody that will be responsible for ensuring GDPR compliance. That said, the ‘official’ answer is that a DPO must be appointed by all public authorities; any organisation carrying out systematic monitoring of individuals on a large scale; all companies whose core activities involve processing data related to criminal convictions and offences, or other special categories such as genetic and health data. It is also worth clarifying that, for an organisation where the DPO role is not mandatory, the person taking on this responsibility should be given an alternative title, such as ‘Senior Data Practitioner’.
The DPO role will be varied and requires a time-commitment that will include providing security training regarding data protection processes; averting costly security breaches; and holding a company to account for security failings, all while remaining impartial. Although the interpretation of these criteria will be debated in the months ahead, it is important that whoever fills the position has the capacity, and the required security knowledge, to take on such a role.
Who should take on the position?
Although some companies may not officially require a DPO, the consensus is that one person should be responsible, either internally or externally, for ensuring regulatory compliance. The next stage is determining who could have both the capacity and security knowledge to fill the position. Beyond the security training, liaison with the Information Commissioner’s Office (ICO), and ensuring best practice is upheld, any new process that is introduced within an organisation will need to undergo a Data Protection Impact Assessment (DPIA) to ensure privacy by design - a lengthy task itself.
Furthermore, the DPO Guidance also states that those who take on the role must not have a ‘conflict of interest’. This means that they can’t be involved in the collection or processing of the personal data they have been tasked with protecting. The problem is that this limits the options of who can fill the position, almost certainly ruling out most senior management as well as security and IT teams.
In larger organisations, it may be possible to recruit top talent, however, for smaller companies with limited budgets, it may not be reasonable to recruit a full-time employee. One alternative could be an outsourced, part-time DPO. This could deliver the right mix of skills and the impartiality, without the financial burden of a new member of staff.
NW Security’s Data Protection Service could help your business meet its GDPR requirements, acting as an outsourced DPO so you can concentrate on your core business safe in the knowledge that GDPR compliance is assured: https://www.nwsystemsgroup.com/security-consultancy-training/gdpr/data-protection-officer-dpo-service