GDPR countdown: Jumping in at the DPO End?

As we continue the countdown to the introduction of GDPR, Chris Hunter of HM Network explores the need for a Data Protection Officer within an organisation.

Whether your organisation is required to appoint a Data Protection Officer (DPO) or not, you will still need to comply. Obviously you can recruit a DPO, but you may find there is currently somewhat of a shortage. Alternatively, you could outsource your DPO role to an external specialist or a law firm. You could also use someone from within your own organisation, but do they have the right skills to take on the position? There may be a steep learning curve ahead, to get up to speed. We are regularly hearing from people who have assumed the DPO role or have been put forward for it.

Many are apprehensive, some are unhappy and obviously quite worried about the size of the task ahead. While you can appoint someone in your existing organisation as your DPO, they should have the relevant mindset and experience needed for a job like this. Although it is not obligatory it is preferred and suggested that they possess the following skills: knowledge of privacy impact assessments, risk assessments, IT and IS audits, an expert knowledge in data protection laws, significant experience in EU and global privacy laws which may include drafting of privacy policies and third party outsourcing agreements, experience in legal and technical training, experience in raising awareness... If you do use someone from your existing staff it cannot be a person from a role where it could be seen to have a conflict of interest. For instance they cannot be:

Chief Executive
Head of Marketing
Chief Financial Officer
Chief Operating Officer
Head of Human Resources
Head of Information Technology

It is unlikely whoever you do choose will know everything, and there may well be lead in time while they are getting up to speed with what is required. Do you take on a trained DPO from the outset? Do you outsource completely, or use one of your own people and transition them into the role with external help and support when they need it?

Where should your chosen DPO/Data Protection lead turn to for help and guidance?
Where do they get the tools to help them do their jobs?
Who can help them provide training options for staff?

This is where something like the GDPRexpress can help. We have assembled a variety of specialist partners and services that can help your business on it’s road to compliance. There is a saying “there is strength in numbers”.

Being able to call upon expertise from the group across a variety of specialisms is invaluable. We can help you assess, plan, train and put into practice your GDPR readiness programme. From audits, assessments, cyber security, staff training, policy and procedure writing plus provide data protection practitioner support and much more. Our mission to support local companies through the required changes and as part of that many of the services mentioned are free of charge or low cost. Back to the DPO role, to help you get a better understanding of what is needed these words are taken directly from the ICO website

When does a Data Protection Officer need to be appointed under the GDPR?

“Under the GDPR, you must appoint a DPO if you:

are a public authority (except for courts acting in their judicial capacity);
carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. Any organisation is able to appoint a DPO. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.

What are the tasks of the DPO?

The DPO’s minimum tasks are defined in Article 39:

To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

What does the GDPR say about employer duties?

You must ensure that:

The DPO reports to the highest management level of your organisation – ie board level.
The DPO operates independently and is not dismissed or penalised for performing their task.
Adequate resources are provided to enable DPOs to meet their GDPR obligations.

Can we allocate the role of DPO to an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests. You can also contract out the role of DPO externally.

Does the data protection officer need specific qualifications?

The GDPR does not specify the precise credentials a data protection officer is expected to have. It does require that they should have professional experience and knowledge of data protection law. This should be proportionate to the type of processing your organisation carries out, taking into consideration the level of protection the personal data requires.” If you require any help, we are more than happy to connect you with support mechanisms to help you prepare and carry out the roles and responsibilities of the DPO. info+gdpr@hm-nework.com #GDPRexpress 03333 444 190