‘To Have or Have Not’ – The DPO Question
Whilst many shy away from the legal, and sometimes scary, General Data Protection Regulation requirements, you really shouldn’t bury your head in the sand.
A data protection officer (DPO) is a resource not to ignore; they can solve those woes on your behalf and help elevate your organisation.
Does my organisation need a DPO? Is a DPO mandatory under UK GDPR?
Let’s clear things up – not every company and organisation needs a DPO. BUT that doesn’t mean one wouldn’t be helpful for your business, future-proof it, and lead excellent practice. So do you need one?
● Are you part of a public authority or body? If you are, then under Article 37 of UK GDPR, by law, you must have a data protection officer (no matter the data you collect or process).
● Are you an organisation that collects or processes individuals’ data systematically and on a large scale? Or perhaps even an organisation that collects and processes special categories of personal data (such as health and religion) on a large scale? You guessed it, a DPO is mandatory.
● Do you fall outside these definitions? Even for organisations where a DPO isn’t mandatory, those responsible for developing the legislation nevertheless strongly encourage organisations to appoint one voluntarily for the benefits it brings. It helps build leading best practice in the world where data (and how it is navigated) becomes ever more complex each day.
Why do I need a DPO?
Ultimately if your organisation doesn’t need a DPO to adhere to the law, then all too often, a DPO is dismissed as not necessary. Said to be the ‘cornerstones of accountability’, leading guidance emphasises the competitive advantages a DPO can bring a business.
Whilst it is the choice of the leadership team, arguably the benefits gained from having such a valuable team member with expert understanding of the law, far outweighs the initial task of finding one.
The value of such a role is worth their appointment several times over:
● Commercial value – There is a huge commercial value in getting it right.
○ If you are processing personal data on someone else’s behalf, e.g. using it to fulfil an order or storing your client’s data, then you will have to provide assurances of your own compliance.
○ Want to get into a contract or framework? Then you will inevitably receive a vendor compliance checklist before you can commercially engage.
○ Want to sell shares or are seeking investment? You won’t pass due diligence without demonstrating compliance with the UK GDPR.
● Fines and penalties – A DPO helps to avoid complaints and potential fines and penalties through compliance and ensuring your business aligns with the law.
○ The Information Commissioner’s Office has a wide range of sanctions available for those organisations that do not take their obligations seriously.
○ Eye watering fines are available and are designed on purpose to be ‘dissuasive’.
○ Individuals have recourse to civil action if organisations infringe their rights.
● Ethical kudos – In the eyes of consumers (and your customer), their privacy and data is increasingly important. Good data practice is good ethics which elevates reputation, and your worth as a company.
○ Consumers are more informed about their data protection rights than ever before. They understand the commercial value of their data and they understand they need to part with it to access services or buy goods. Importantly, they have the ultimate discretion as to where to spend their money and increasingly, it is with organisations who treat their personal data with respect.
So what is a DPO?
A data protection officer (DPO) is someone who is appointed or designated according to their professional qualities – in particular their expert knowledge of data protection law and practice. Importantly, a data protection office must be able to fulfil the tasks stipulated by the legislation without being confronted by a conflict of interest.
What does a DPO do (role and responsibilities)?
The data protection officer’s role is integral to oversee the organisations’ compliance with the UK GDPR and to make sure personal data is being processed according to the law. Companies must ensure that their DPO is involved properly and in a timely manner on all issues surrounding data processing. They are responsible for multiple facets of data security and education, strategy and compliance.
According to Article 39 of the UK GDPR, the DPO’s role will include:
● Collecting information to identify processing activities.
● Analysing and checking the compliance of processing activities.
● Informing, advising and issuing recommendations to the controller or the processor.
In practice this could look like (including but not limited to!):
● Informing: Educating both leadership teams and employees how to be compliant with the legislation.
● Monitoring: Monitoring compliance through audits.
● Advising: Giving advice on data protection impact assessment.
● Cooperation: Cooperating with and acting as intermediary with the supervisory authority on all issues relating to data processing.
Can I appoint myself as DPO?
Often, companies find themselves in need of a DPO and think perhaps it will be an easy fix, or part of the leadership team will step forward to take on the role. You can choose a DPO from amongst the current employees or you can appoint an outsourced one. Nor do you necessarily need a full-time DPO. But before anyone self-appoints or volunteers without understanding the complexity and technical expertise required, we outline a few key points to bear in mind:
1. Article 37 states a data protection officer must have ‘expert knowledge of data protection law and practices’.
2. There must not be a conflict of interest between the DPO role and any other responsibilities, for example, appointing a senior or executive member of the team, who will inevitably have influence and control of day to day processing activities, will create a conflict of interest. Violating this requirement can (and has) lead to huge penalties.
3. DPOs come from different professional backgrounds, such as information governance, security, legal practice, etc. There is no prerequisite professional background.
A simple way to assess if someone should be in the role of DPO in your organisation is to ask these basic questions:
1) Are they an expert in understanding the law and practice surrounding data protection?
2) Are they independent from conflicting roles in the organisation?
3) Do they have the time and resources to undertake the tasks required?
If the answer is an affirmative to all of the above, they are likely to be suited to the role.
You might be in a position where you don’t have or need a DPO, but you can identify the clear value and benefits one might bring. Perhaps you are in need of a DPO and need help appointing one?
Either way, you can access advice and a further explanation of the requirements from us at Compliance and Privacy Solutions Ltd. We can provide a wide range of support in relation to data protection, including Data Protection Officer services. Get in contact at firstname.lastname@example.org to arrange a free, no-obligation consultation.