<img src="https://certify.alexametrics.com/atrk.gif?account=b2hlr1ah9W20em" style="display:none" height="1" width="1" alt="">
    Get started

    Editors note: This post was originally published in April 2018 and has been refreshed to provide additional information.

    Today, 28th January, is Data Privacy Day. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. 

    It's also 8 months since the General Data Protection Regulation (GDPR) came into effect across Europe. 

    GDPR was enforced on 25th May 2018. In the build up to the new regulation, businesses were busy getting prepared. Though alarmingly, a HubSpot survey carried out in September 2017 - a mere 8 months before the regulation was due to be introduced - revealed that only 36 percent of business leaders had even heard of GDPR!

    As it's Data Privacy Day, and with GDPR in mind, we decided to take another look at the role of the Data Protection Officer (or DPO). This was one of the biggest decisions organisations had to make ahead of GDPR - whether or not to appoint a new DPO for their business.

    Now, 8 months on, organisations may be wondering whether they made the right choice. If you didn't appoint a DPO but are now wondering if you should have done, this refresher should help you.

    A question of choice

    This is an interesting one – because for many businesses this formal requirement is not compulsory, and therefore may be something that was dismissed early on in the preparations. But, is that the right answer, especially given that the appointment of a DPO can still be made voluntarily?

    The legal bit

    For most larger financial services businesses, this is something that has already been covered, as they will new data protection officeralready have data protection officers in place, given the amounts of personal data that they process and the controls they need to have in place under existing data protection legislation. However, what if you don’t already have a DPO? Should you have one?

    The answer is yes if you’re a public authority or body, but also if you’re constantly monitoring individuals on a systematic basis, and it’s a core part of your business. Also, if you process special types of data on a significant scale.

    This guidance isn’t necessarily easy to fit into a checklist, which you can tick off to say whether you need a DPO or not. In fact, the easier route may be to appoint a DPO if your business processes significant volumes of personal data as part of your activities.

    In good company

    The decision about whether to appoint a DPO (or whether to have a team supporting the DPO depending on the size of your business) is not a decision needed by only a few businesses. In fact, back in September 2016, research carried out by GO DPO found that around 7,000 businesses, each employing more than 250 people, needed to appoint a DPO. That’s a lot of recruitment and training that is needed!

    What it means in practice

    The decision to appoint a DPO may not be as onerous as it first looks. For a start, it doesn’t have to be a new employee – it could be an existing employee or manager; but here’s the rub.

    It’s essential that this person has the right level of skills and knowledge of data protection relative to the level of personal data processing carried out as well as the level of protection required for the data subjects.

    Why? Because it’s a requirement of GDPR that this is the case – Article 37(1) to be precise.

    But what does a DPO actually have to do – after all, surely they aren't responsible for carrying out all of the tasks to protect customers’ data?

    That’s right – but this is what they do have to do:

    • They have to be able to inform those processing personal data of their obligations under GDPR.
    • They have to monitor the firm’s performance as a data controller, as well as advise on any impact assessments carried out.
    • They will also have to be the primary contact with the relevant supervisory authority (which in the UK is the Information Commissioner’s Office (ICO)). This will also include the requirement to report breaches within 72 hours of discovery.

    All of this might seem onerous, but there are benefits to having a DPO. These include:

    • Having one person as the primary subject matter expert, rather than trying to spread the knowledge around many different people within the business.
    • As the DPO needs to be able to act independently and free of any conflicts of interest, the benefit of having independent oversight and challenge to controls, which should help retain control strength and avoid regulatory breaches.
    • However, if breaches do happen, one person has the overall responsibility for making sure they are reported on time, avoiding confusion, delays and possible regulatory sanction.

    However, the most important aspect of all is making sure that the person taking on the DPO role has the necessary skills and knowledge to carry out the role. This is where training provided by an established provider demonstrating a key specialism in the area of GDPR can prove to be invaluable.

    Checklist for appointing a Data Protection Officer

    1. Has the most appropriate person been selected, given the need for a significant degree of subject matter expertise as required under GDPR?
    2. Has a gap analysis been carried out in terms of their knowledge and understanding of GDPR requirements?
    3. Can the person act independently? Does their role conflict with any other role they may play in the firm (e.g. someone who processes data may be conflicted out of being the independent DPO)?
    4. Will this person be able to educate and inform staff about their GDPR responsibilities?
    5. Does the person have the interpersonal skills and confidence to be able to liaise with regulators if necessary?

    Leave a comment


    eBook: Essential Uncovered

    Skillcast Essentials is our best-selling library and there's a reason for that. Essentials library provides comprehensive coverage of the key compliance / conduct issues that companies in the UK face today.

    Download now

    Compliance Essentials News - June 2019

    Here's the selection of the most informative compliance news stories this month. Scroll down for more details. Wish you were here! Promise to be good, but not yet! Price of medical equipment in China ...

    Read More
    FCA Compliance News – June 2019

    This blog aims to provide a roundup of some of the biggest regulatory compliance headlines in the financial service sector over the last month. Select the links or scroll down for more details. ...

    Read More
    How effective is your compliance training? Use the Kirkpatrick model to find out

    Training is an essential part of your organisation’s compliance programme. But how effective are your training courses? Have you been tracking the impact? Given your people are your biggest risk for ...

    Read More
    Strategies for improving the quality of compliance assessments

    Assessments are critical components of corporate compliance programmes. They are used to evidence employee awareness and competence to internal stakeholders and regulators. They can also be used for ...

    Read More