Editors note: This post was originally published in April 2018 and has been refreshed to provide additional information.
Today, 28th January, is Data Privacy Day. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices.
It's also 8 months since the General Data Protection Regulation (GDPR) came into effect across Europe.
GDPR was enforced on 25th May 2018. In the build up to the new regulation, businesses were busy getting prepared. Though alarmingly, a HubSpot survey carried out in September 2017 - a mere 8 months before the regulation was due to be introduced - revealed that only 36 percent of business leaders had even heard of GDPR!
As it's Data Privacy Day, and with GDPR in mind, we decided to take another look at the role of the Data Protection Officer (or DPO). This was one of the biggest decisions organisations had to make ahead of GDPR - whether or not to appoint a new DPO for their business.
Now, 8 months on, organisations may be wondering whether they made the right choice. If you didn't appoint a DPO but are now wondering if you should have done, this refresher should help you.
A question of choice
This is an interesting one – because for many businesses this formal requirement is not compulsory, and therefore may be something that was dismissed early on in the preparations. But, is that the right answer, especially given that the appointment of a DPO can still be made voluntarily?
The legal bit
For most larger financial services businesses, this is something that has already been covered, as they will already have data protection officers in place, given the amounts of personal data that they process and the controls they need to have in place under existing data protection legislation. However, what if you don’t already have a DPO? Should you have one?
The answer is yes if you’re a public authority or body, but also if you’re constantly monitoring individuals on a systematic basis, and it’s a core part of your business. Also, if you process special types of data on a significant scale.
This guidance isn’t necessarily easy to fit into a checklist, which you can tick off to say whether you need a DPO or not. In fact, the easier route may be to appoint a DPO if your business processes significant volumes of personal data as part of your activities.
In good company
The decision about whether to appoint a DPO (or whether to have a team supporting the DPO depending on the size of your business) is not a decision needed by only a few businesses. In fact, back in September 2016, research carried out by GO DPO found that around 7,000 businesses, each employing more than 250 people, needed to appoint a DPO. That’s a lot of recruitment and training that is needed!
What it means in practice
The decision to appoint a DPO may not be as onerous as it first looks. For a start, it doesn’t have to be a new employee – it could be an existing employee or manager; but here’s the rub.
It’s essential that this person has the right level of skills and knowledge of data protection relative to the level of personal data processing carried out as well as the level of protection required for the data subjects.
Why? Because it’s a requirement of GDPR that this is the case – Article 37(1) to be precise.
But what does a DPO actually have to do – after all, surely they aren't responsible for carrying out all of the tasks to protect customers’ data?
That’s right – but this is what they do have to do:
- They have to be able to inform those processing personal data of their obligations under GDPR.
- They have to monitor the firm’s performance as a data controller, as well as advise on any impact assessments carried out.
- They will also have to be the primary contact with the relevant supervisory authority (which in the UK is the Information Commissioner’s Office (ICO)). This will also include the requirement to report breaches within 72 hours of discovery.
All of this might seem onerous, but there are benefits to having a DPO. These include:
- Having one person as the primary subject matter expert, rather than trying to spread the knowledge around many different people within the business.
- As the DPO needs to be able to act independently and free of any conflicts of interest, the benefit of having independent oversight and challenge to controls, which should help retain control strength and avoid regulatory breaches.
- However, if breaches do happen, one person has the overall responsibility for making sure they are reported on time, avoiding confusion, delays and possible regulatory sanction.
However, the most important aspect of all is making sure that the person taking on the DPO role has the necessary skills and knowledge to carry out the role. This is where training provided by an established provider demonstrating a key specialism in the area of GDPR can prove to be invaluable.
Checklist for appointing a Data Protection Officer
- Has the most appropriate person been selected, given the need for a significant degree of subject matter expertise as required under GDPR?
- Has a gap analysis been carried out in terms of their knowledge and understanding of GDPR requirements?
- Can the person act independently? Does their role conflict with any other role they may play in the firm (e.g. someone who processes data may be conflicted out of being the independent DPO)?
- Will this person be able to educate and inform staff about their GDPR responsibilities?
- Does the person have the interpersonal skills and confidence to be able to liaise with regulators if necessary?