Ever wondered whether you need a Data Protection Officer (DPO)? If you haven't appointed a DPO but are thinking if you should have done, we are here to help.
What does a DPO do and what are the benefits of having one? We explain their responsibilities and provide a checklist for deciding whether or not you need one.
Is it a question of choice?
This is an interesting one – because for many businesses this formal requirement is not compulsory, and therefore may be something that was dismissed early on in the preparations. But, is that the right answer, especially given that the appointment of a DPO can still be made voluntarily?
The legal bit
For most larger financial services businesses, this is something that has already been covered, as they will already have data protection officers in place, given the amounts of personal data that they process and the controls they need to have in place under existing data protection legislation. However, what if you don’t already have a DPO? Should you have one?
The answer is yes if you’re a public authority or body, but also if you’re constantly monitoring individuals on a systematic basis, and it’s a core part of your business. Also, if you process special types of data on a significant scale.
This guidance isn’t necessarily easy to fit into a checklist, which you can tick off to say whether you need a DPO or not. In fact, the easier route may be to appoint a DPO if your business processes significant volumes of personal data as part of your activities.
In good company
The decision about whether to appoint a DPO (or whether to have a team supporting the DPO depending on the size of your business) is not a decision needed by only a few businesses. In fact, back in September 2016, research carried out by GO DPO found that around 7,000 businesses, each employing more than 250 people, needed to appoint a DPO. That’s a lot of recruitment and training that is needed!
What it means in practice
The decision to appoint a DPO may not be as onerous as it first looks. For a start, it doesn’t have to be a new employee – it could be an existing employee or manager; but here’s the rub.
It’s essential that this person has the right level of skills and knowledge of data protection relative to the level of personal data processing carried out as well as the level of protection required for the data subjects.
Why? Because it’s a requirement of GDPR that this is the case – Article 37(1) to be precise.
But what does a DPO actually have to do – after all, surely they aren't responsible for carrying out all of the tasks to protect customers’ data?
- They have to be able to inform those processing personal data of their obligations under GDPR.
- They have to monitor the firm’s performance as a data controller, as well as advise on any impact assessments carried out.
- They will also have to be the primary contact with the relevant supervisory authority (which in the UK is the Information Commissioner’s Office (ICO)). This will also include the requirement to report breaches within 72 hours of discovery.
All of this might seem onerous, but there are benefits to having a DPO.
Benefits of having a DPO:
- Having one person as the primary subject matter expert, rather than trying to spread the knowledge around many different people within the business.
- As the DPO needs to be able to act independently and free of any conflicts of interest, the benefit of having independent oversight and challenge to controls, which should help retain control strength and avoid regulatory breaches.
- However, if breaches do happen, one person has the overall responsibility for making sure they are reported on time, avoiding confusion, delays and possible regulatory sanction.
However, the most important aspect of all is making sure that the person taking on the DPO role has the necessary skills and knowledge to carry out the role. This is where training provided by an established provider demonstrating a key specialism in the area of GDPR can prove to be invaluable.
Checklist for appointing a Data Protection Officer
- Has the most appropriate person been selected, given the need for a significant degree of subject matter expertise as required under GDPR?
- Has a gap analysis been carried out in terms of their knowledge and understanding of GDPR requirements?
- Can the person act independently? Does their role conflict with any other role they may play in the firm (e.g. someone who processes data may be conflicted out of being the independent DPO)?
- Will this person be able to educate and inform staff about their GDPR responsibilities?
- Does the person have the interpersonal skills and confidence to be able to liaise with regulators if necessary?
Want to know more about GDPR?
We have created a glossary of GDPR definitions to help you navigate GDPR and DPA 2018 compliance. And we also have 50+ free compliance training aids as well as regularly publishing informative GDPR blogs including a regularly updated GDPR fines tracker for 2020.
If you're looking for comprehensive compliance training, why not visit our GDPR course library.
If you've any further questions or concerns about GDPR, just leave us a comment below this blog. We are happy to help!