Does your business need a new Data Protection Officer ahead of the GDPR?
With a matter of weeks before the General Data Protection Regulation (GDPR) comes into effect across Europe at the end of May 2018, there is little time left for preparations, and the hope is that most businesses affected are ready or almost ready by now.
However, that may not be the case. Back in September 2017, Hubspot carried out a survey, which revealed that only 36 per cent of the business leaders surveyed had ever heard of GDPR! That’s a scary statistic, and so is the one which says that 42 per cent of businesses are “somewhat prepared” for GDPR.
Granted, that means the other 58 per cent are probably sitting pretty – but, regardless of how well prepared you think you are, it’s always a good idea to make those last minute checks.
Notably, one of those that should be made, is whether or not you need to appoint a new Data Protection Officer (or DPO) for your business.
A question of choice
This is an interesting one – because for many businesses this formal requirement is not compulsory, and therefore may be something that was dismissed early on in the preparations. But, is that the right answer, especially given that the appointment of a DPO can still be made voluntarily?
The legal bit
For most larger financial services businesses, this is something that has already been covered, as they will already have data protection officers in place, given the amounts of personal data that they process and the controls they need to have in place under existing data protection legislation. However, what if you don’t already have a DPO? Should you have one?
The answer is yes if you’re a public authority or body, but also if you’re constantly monitoring individuals on a systematic basis, and it’s a core part of your business. Also, if you process special types of data on a significant scale.
This guidance isn’t necessarily easy to fit into a checklist, which you can tick off to say whether you need a DPO or not. In fact, the easier route may be to appoint a DPO if your business processes significant volumes of personal data as part of your activities.
In good company
The decision about whether to appoint a DPO (or whether to have a team supporting the DPO depending on the size of your business) is not a decision needed by only a few businesses. In fact, back in September 2016, research carried out by GO DPO found that around 7,000 businesses, each employing more than 250 people, needed to appoint a DPO. That’s a lot of recruitment and training that is needed!
What it means in practice
The decision to appoint a DPO may not be as onerous as it first looks. For a start, it doesn’t have to be a new employee – it could be an existing employee or manager; but here’s the rub.
It’s essential that this person has the right level of skills and knowledge of data protection relative to the level of personal data processing carried out as well as the level of protection required for the data subjects.
Why? Because it’s a requirement of GDPR that this is the case – Article 37(1) to be precise.
But what does a DPO actually have to do – after all, surely they won’t be responsible for carrying out all of the tasks to protect customers’ data?
That’s right – but this is what they do have to do:
- They have to be able to inform those processing personal data of their obligations under GDPR
- They have to monitor the firm’s performance as a data controller, as well as advise on any impact assessments carried out
- They will also have to be the primary contact with the relevant supervisory authority (which in the UK is the Information Commissioner’s Office (ICO)). This will also include the requirement to report breaches within 72 hours of discovery.
All of this might seem onerous, but there are benefits to having a DPO, which should be seriously considered. These include:
- Having one person as the primary subject matter expert, rather than trying to spread the knowledge around many different people within the business.
- As the DPO needs to be able to act independently and free of any conflicts of interest, the benefit of having independent oversight and challenge to controls, which should help retain control strength and avoid regulatory breaches.
- However, if breaches do happen, one person has the overall responsibility for making sure they are reported on time, avoiding confusion, delays and possible regulatory sanction.
If a DPO is to be appointed, there’s still time, although it will need to be quick, bearing in mind that the registration needs to be notified to the ICO.
However, the most important aspect of all is making sure that the person taking on the DPO role has the necessary skills and knowledge to carry out the role. This is where training provided by an established provider demonstrating a key specialism in the area of GDPR can prove to be invaluable.
Checklist for appointing a Data Protection Officer
- Has the most appropriate person been selected, given the need for a significant degree of subject matter expertise as required under GDPR?
- Has a gap analysis been carried out in terms of their knowledge and understanding of GDPR requirements?
- Can the person act independently? Does their role conflict with any other role they may play in the firm (e.g. someone who processes data may be conflicted out of being the independent DPO)?
- Will this person be able to educate and inform staff about their GDPR responsibilities?
- Does the person have the interpersonal skills and confidence to be able to liaise with regulators if necessary?
Take a close look at numbers 2, 4 and 5. If you think you’ll have trouble with any of these, then now is the time to speak to someone who can help.