In the final post of our three-part blog series, we discuss the requirement for many organisations to appoint a Data Protection Officer (DPO) under the EU General Data Protection Regulation (GDPR), and highlight the experience needed for those who will fill the role.
Do you need a DPO?
Under the new EU GDPR, many organisations will be required as of 25th May 2018 to appoint a DPO. And it is here that we encounter the first sticking point; is your business one of those that needs to fill this position?
The ‘official’ answer is that a DPO must be appointed by all public authorities; any organisation carrying out systematic monitoring of individuals on a large scale; all companies whose core activities involve processing data related to criminal convictions and offences, or other special categories such as genetic and health data. However, to help alleviate a potential regulatory headache and avoid fines that could severely impact a business’s finances, every organisation should consider appointing somebody that will be responsible for ensuring GDPR compliance. Note, for an organisation where the DPO role is not mandatory, the guidance is that the person taking on this responsibility is titled something else, such as ‘Senior Data Practitioner’.
The DPO’s role will include providing security training regarding data protection processes; averting costly security breaches; and holding a company to account for security failings, all while remaining impartial. Although the interpretation of these criteria will be debated in the months ahead, it is important that whoever fills the position has the capacity, and the required security knowledge, to take on such a role.
Who should take on the position?
The consensus is that, even if a company does not officially require a DPO, one person should be responsible, either internally or externally, for ensuring regulatory compliance. The next stage is determining who could fill those data security shoes. Beyond the security training that must be delivered, and the day to day function of averting costly data breaches, any new process that is introduced within an organisation will need to undergo a Data Protection Impact Assessment (DPIA) to ensure privacy by design. Is there somebody internally that has the time to undertake these duties?
The DPO Guidance also states that those who take on the role must not have a ‘conflict of interest’. This means that they can’t be involved in the collection or processing of the personal data they have been tasked with protecting. This does somewhat limit the options of who can fill this position, almost certainly ruling out most senior management as well as security and IT teams.
In larger organisations, it may be as simple as recruiting top talent for the specific role, however, for smaller companies with limited means, this may not be a luxury easily afforded. One alternative could be an outsourced, part-time DPO. This could deliver the right mix of skills and the impartiality required, without the financial burden of a full-time member of staff.
Find out how NW Security could help your business meet its GDPR requirements, with one of our consultants acting as an outsourced DPO so you can concentrate on your core business safe in the knowledge that GDPR compliance is assured: read more about our Data Protection (DPO) Service.