How do I define the Data Protection Officer Role? Do I really need to appoint a “DPO”? (Does this apply to small organisations?)
Well, yes, you do, if you hold information on customers, employees, or both. Just about every company does. Provision needs to be made by May 2018. Time is running out.
We’ve been consulting on ISO 27001 certification for many years. Consequently, we have some understanding of the mixture of compliance, business activities, and company culture. There’s much on the ‘net about the Data Protection Officer Role. We thought a concise, realistic summary would be useful.
Meanwhile, the heavyweight documents including the Data Protection Officer Role are here and here. If you are an insomnia sufferer, try the full GDPR document . It is probably more powerful than pills. Here’s our understanding and short summary, based around FAQs.
What does a DPO do?
They are simply the first point of contact for all sensitive data. Some of the key activities of the role are:-
- Informing and advising senior management and relevant employees of their obligations under GDPR
- Monitoring compliance to the above.
- Advising on data protection impact assessments
- Responding to individuals’ enquiries on handing of their data
- Monitoring and notifying breaches of procedure.
- Being the key contact point for supervisory authority.
Can we outsource or even share a DPO?
You could, but they need to be rapidly accessible for queries, complaints, breaches, requests for access, etc. “I may be able to fit you in next week” won’t work. They cannot be on the fringe of the business for a number of reasons to be outlined below.
Ideally, they need to have a thorough grounding in data protection law and application. N.B. There is no current formal qualification for this. Furthermore, they need to understand how your business works. Access is required to all levels of meetings. It may be difficult to find this combination of skills! Choose carefully. Maybe your friendly local ISO Consultant might be able to help…?
What about an internal employee?
If there is no conflict of interest. However, this may mean a narrow set to choose from. See following.
Which roles cannot be a DPO?
Anyone who whose role involves actually collecting and processing data. This may exclude many potential candidates. Notable exclusions are managing director, head of IT, HR staff, finance managers. A DPO needs to be a step removed from the data gathering and processing activities. They must remain impartial, yet understand the processes intimately.
Does a DPO need to be an expert/have training?
The GDPR is specific about many things, but vague on candidate credentials. However, it does specify “expert knowledge of data protection law and practices” The definition of “expert” is unclear, the nature of type and level of training is undefined. A strong background in compliance management and IT would probably be a good starting point. Hopefully, more will emerge on the specifics of this area.
What else do we have to bear in mind?
The DPO must report to the highest management level and regularly attend senior management meetings. They cannot be regarded as merely a lower-level data crunching compliance officer. They need to influence and advise on strategic decisions. Plus, they are the senior management’s key defence in not being heavily fined for non-compliance. The Data Protection Officer can’t be left out.
The DPO must operate independently and impartially. Consequently, they cannot be dismissed or formally disciplined for simply doing their job and “whistle-blowing” as required. With the threat of fines, you need a critical friend.
Does the DPO do it all, make sure we comply, and carry the responsibility?
No. Senior management retain ultimate legal responsibility for GDPR compliance. Hence the requirement for ready access to their decision making processes. The DPO creates and monitors the appropriate systems and conducts regular security audits. Therefore, they encourage a “data protection culture” through impact assessments, staff briefings on their specific responsibilities. Quite simply, they champion compliance with GDPR principles. However, the ultimate responsibility lies with upper management.
Where do I go for more information on DPOs,and the GDPR?
Well, we’ve worked with data protection issues as part of the ISO 27001 certification process for a number of years now. The whole Data Protection Officer Role currently raises many questions , and time is running out, so if you need help, please get in touch.