With the countdown to GDPR implementation day inching into its final stages, many organisations are still unaware of the potential consequences of this influential document. One of the main areas in which many organisations find themselves unprepared is that of appointing a Data Protection Officer (DPO). The creation of this important role will be obligatory for many organisations, yet there remains some confusion as to what the position entails. Here, we provide you with everything you need to know about DPOs and the role they’ll play in modern data protection practices.
Before we even attempt to define the DPO role, it’s necessary to provide a brief overview of its source document, the GDPR. Coming into effect on the 25th May 2018, the General Data Protection Regulation (GDPR) aims to update existing data protection legislation across the EU.
Placing a greater emphasis on secure personal data practices and introducing heavy punishments for those that don’t comply, the GDPR is an incredibly important document that no organisation can overlook. In it, the position of DPO is established and made mandatory in certain circumstances.
What is a Data Protection Officer?
The DPO is the individual who oversees the management of sensitive data in a business, organisation or public body. This includes all aspects of the data trail – from an initial request for information, to collection, storage, communication, and removal – making it a role with enormous scope, and a great deal of responsibility.
The DPO’s primary frame of reference is the GDPR, and all of their actions will focus on ensuring that their organisation’s procedures, processes and actions are in keeping with the regulations established by the GDPR.
While many businesses and organisations have already appointed a DPO – or have someone operating in a similar role – there’s still a large number that have yet to make a decision. Recent surveys suggest that a quarter of all local councils in the UK have yet to select their DPO. With time running out, it’s essential that they act soon.
What responsibilities do they hold?
The DPO’s roles and responsibilities are extensive. However, they can be condensed into one all-encompassing principle that positions them at the forefront of data protection efforts. Above all else, DPOS are responsible for advising organisations that are within scope for GDPR on their compliance obligations.
In the position, individuals will be expected to;
- Ensure data controllers and processors comply with GDPR regulations.
- Inform and advise all data controllers, processors, and employees exposed to sensitive data, of their responsibilities.
- Act as a point of communication for employees with questions or concerns surrounding sensitive data.
- Liaise with the supervising authority or watchdog.
- Advise those carrying out data protection impact assessments.
As we can see, the DPO’s role covers an incredible amount of ground and involves advising, monitoring, and auditing inside their own organisation, as well as co-operating with external authorities.
Why is a Data Protection Officer necessary?
The primary rationale for making the appointment of a DPO obligatory is transparency. Without the DPO role, it would be difficult to ensure organisations are complying with GDPR, and the legislation may be rendered ineffectual or unenforceable.
The DPO is also a multi-faceted role that requires a thorough understanding of current data protection practices, the GDPR, emerging trends and issues within data protection, and the working structure of their own organisation. In order to ensure all of these factors given the proper consideration they’re due, they have been unified under one position. This also guarantees that responsibility for data protection practices is clearly attributed to one position. If responsibilities were distributed throughout an organisation, poor communication or planning could lead to serious oversights and issues with transparency.
When is a Data Protection Officer necessary?
The GDPR stipulates that DPOs are required in organisations that meet the following criteria;
- when data processing and handling is operated by a public body, authority or organisation (eg. government departments and local authorities)
- when data controllers or processors are monitoring data subjects on a large scale, and in a systematic manner (eg. when utilising personal data to create tailored advertising campaigns or marketing material)
- when data controllers or processors are handling personal data relating to special categories of data (typically extremely sensitive data), or criminal convictions and charges.
In an increasingly digital society, in which big data is a valuable commodity and most organisations store and monitor some type of personal data, a DPO will be required by a large percentage of organisations.
However, even if an organisation doesn’t clearly fall into one of these categories, it may still be a good idea to appoint a DPO. Not only will it reduce the strain data protection places on all the individual parts of an organisation, it concentrates responsibility in a single position, and ensures practical data protection measures will be implemented. As Bahrat Mistry from UK Security Blog TrendMicro says:
“Organisations should be looking at the regulation as an opportunity to improve data management, build closer relationships with their customers and differentiate on privacy and security”.
It’s also important to note that the GDPR allows for individual EU Member States to contribute additional criteria and in the future. This means it’s vital organisations keep an eye on national GDPR developments and prepare for changes.
Where is a Data Protection Officer positioned in an organisation?
While the GDPR doesn’t infringe on an organisation’s ability to structure itself in any way it sees fit, it does mention a number of factors that will need to be considered. For instance, the GDPR stipulates that the DPO must report to the highest management level in the organisation. While this doesn’t mean they’ll regularly have face-to-face meetings with board members to discuss matters, it does mean that reports will have to be sent on a regular basis to update them on developments.
DPOs will also have to be easily reachable by employees and the general public. As part of the DPO’s role is to ensure information requests are handled in the correct manner, they need to be a public face, whom individuals can contact easily. When considering how to organise the role, it’s important to remember that one of the reasons for creating the position was to ensure personal data requests weren’t lost in labyrinth bureaucracy.
Data Protection Officer and impartiality
Also of great importance to the role is the ability of the DPO to do their job impartially. This requires them to maintain a certain distance between their own work and that of the organisation. The GDPR specifically states that DPOs must not ‘receive any instructions regarding the exercise of tasks.’
Essentially, this means that DPOs should not be given advice or instruction from someone inside the organisation on how to investigate a complaint, what decision to come to, or whether to contact the supervisory authority. Within their designated power, DPOs should act autonomously and without being influenced by other employees, mangers, or owners.
In the case of failure to appoint a Data Protection Officer
If an organisation fails to appoint a Data Protection Officer there can be drastic and potentially devastating consequences. Though it seems fairly unlikely that an organisation will receive a heavy fine solely because they haven’t appointed a DPO, the punishments for non-compliance with the GDPR are breathtaking.
The maximum penalties for non-compliance are established in the GDPR as 4% of worldwide turnover or €20 million – whichever is the larger amount. These high value punishments emphasise the serious nature of both the GDPR and DPO position. However, punitive financial measures aren’t the only issue. With public concern over privacy growing, the damage to an organisation’s reputation caused by any non-compliance would be enormous.
How is a Data Protection Officer certified?
There are currently no certifications required in order to become a DPO. However, this does not mean that the individual who is appointed should not be qualified. Candidates will need to have a thorough understanding of both data protection law, and EU law and legal systems. The position also demands good communication skills, comprehensive knowledge of an organisation’s existing data protection practices and data flows, and an ability to work impartially.
Despite there not being any obligatory certifications for DPOs, there are a number of certified schemes that could prove useful. For instance, IT Governance run a Certified EU General Data Protection Regulation Practitioner (GDPR) Training Course.
How to appoint a Data Protection Officer
If there are no obligatory certifications for the DPO position, how do you go about selecting a DPO?
First of all, the DPO position can be filled by an individual who already holds a position in the organisation. They don’t have to give up their existing position but, depending on the size of the organisation, it may be necessary if they’re to do the job justice. If there is a suitable candidate already working within the organisation, their experience and inside knowledge of it may make them the best person for the role. Otherwise, it’s time to look outside to an external hire. It’s also important to consider whether the DPO will be working alone, or whether they’ll have a team around them.
Who should you appoint?
Though no official qualifications for the role have been set out in the GDPR, the EU have made some suggestions as to what skills they believe are relevant to the position. Amongst them are;
- Expertise in both European and UK data protection laws and practice, as well as a thorough understanding of the GDPR.
- Knowledge of the data processing operations executed in the organisation.
- Knowledge of existing and emerging data protection practices.
- An understanding of the industry in which they’re operating and the structure of the organisation they’re working for.
- A willingness to promote the GDPR within the organisation and foster a culture that respects data protection practices.
While this list is by no means exhaustive, it does provide the basic foundations on which an organisation can begin to screen candidates.
What support does a Data Protection Officer require?
In order to do their job to the required standards, DPOs will require a large amount of support from their organisation’s management and employees. Specifically, DPOs will require;
- Resources – DPOs will require a large number of resources in order to do their jobs. These may be financial, material, or human. It may take a considerable effort to establish a well prepared team around the DPO, but if it guarantees compliance with the GDPR, it’s worth the expenditure.
- Time – In smaller organisations, the DPO position may be a part time role that the DPO combines with other responsibilities. However, in larger organisations, the DPO will need to devote their entire day to the job. In many cases, they’ll also require the assistance of a dedicated team.
- Independence – DPOs can be given support by ensuring they’re afforded the autonomy they require. Without it, they may face a conflict of interest and find themselves unable to do their job.
- Clear communication channels – DPOs will need to be kept in the loop when it comes to issues related to data protection. This means being invited to attend relevant senior management meetings, being free to liaise with supervisory bodies, and having access to all aspects of the organisation.
- Training – Finally, DPOs will need to be supported with training opportunities. In this sense, training opportunities refers to both the DPO’s own education and development, and their ability to offer training to employees in the organisation.
The GDPR is an incredibly important piece of legislation that will have huge ramifications across the UK and Europe. By enshrining the DPO role in the GDPR, the EU has recognised that the protection of personal data, as well as its proper use, is going to be of growing importance in the future.
In a society defined by the large amount of personal data we generate, the DPO position should not be undervalued or taken for granted. As data flows become more complex and individuals call for more power over their own personal data, the DPO will play a vital role in ensuring systems, processes and procedures are in place to meet this demand. Consequently, it’s of the utmost importance that organisations carefully consider who they want in the role and how they can support their DPO.