As we continue the countdown to the introduction of GDPR, Chris Hunter of HM Network explores the need for a Data Protection Officer within an organisation.
Whether your organisation is required to appoint a Data Protection Officer (DPO) or not, you will still need to comply. Obviously you can recruit a DPO, but you may find there is currently somewhat of a shortage. Alternatively, you could outsource your DPO role to an external specialist or a law firm. You could also use someone from within your own organisation, but do they have the right skills to take on the position? There may be a steep learning curve ahead, to get up to speed. We are regularly hearing from people who have assumed the DPO role or have been put forward for it.
Many are apprehensive, some are unhappy and obviously quite worried about the size of the task ahead. While you can appoint someone in your existing organisation as your DPO, they should have the relevant mindset and experience needed for a job like this. Although it is not obligatory it is preferred and suggested that they possess the following skills: knowledge of privacy impact assessments, risk assessments, IT and IS audits, an expert knowledge in data protection laws, significant experience in EU and global privacy laws which may include drafting of privacy policies and third party outsourcing agreements, experience in legal and technical training, experience in raising awareness... If you do use someone from your existing staff it cannot be a person from a role where it could be seen to have a conflict of interest. For instance they cannot be:
It is unlikely whoever you do choose will know everything, and there may well be lead in time while they are getting up to speed with what is required. Do you take on a trained DPO from the outset? Do you outsource completely, or use one of your own people and transition them into the role with external help and support when they need it?
This is where something like the GDPRexpress can help. We have assembled a variety of specialist partners and services that can help your business on it’s road to compliance. There is a saying “there is strength in numbers”.
Being able to call upon expertise from the group across a variety of specialisms is invaluable. We can help you assess, plan, train and put into practice your GDPR readiness programme. From audits, assessments, cyber security, staff training, policy and procedure writing plus provide data protection practitioner support and much more. Our mission to support local companies through the required changes and as part of that many of the services mentioned are free of charge or low cost. Back to the DPO role, to help you get a better understanding of what is needed these words are taken directly from the ICO website
You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.
The DPO’s minimum tasks are defined in Article 39:
You must ensure that:
Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. You can also contract out the role of DPO externally.
The GDPR does not specify the precise credentials a data protection officer is expected to have. It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.” If you require any help, we are more than happy to connect you with support mechanisms to help you prepare and carry out the roles and responsibilities of the DPO. email@example.com #GDPRexpress 03333 444 190