Ok, obviously your GDPR project is in full swing, you know the impact on your organisation, you\u2019ve made the plans to keep compliant, the education of the workforce is in full effect and now you are down to the last few tasks before this can all be put to bed and job done and on to the next big thing. Does that sound like your world?<\/p>\n\n\n\n
No? Ok, a little secret here is you are not the only one in that situation. Tuth is that most have done nothing, some are beginning to start and the few have been mobilising for a while and are working through their GDPR project.<\/p>\n\n\n\n
One area that keeps cropping up in conversations with customers around GDPR is the whole Data Protection Officer (DPO) thing. Most organisations we speak to don\u2019t currently have one and are trying to work out where the position best sits within the existing structures, but the reality is that most are struggling to find the head that fits the hat.<\/p>\n\n\n\n
Let\u2019s be clear, the DPO is a serious position, this role will be critical to enabling companies of having a fighting chance of getting to grips with the new regulation and importantly providing the oversight for the continued monitoring of compliance to it, so let\u2019s just take a quick look at some of the requirements and attributes of the Data Protection Officer, Articles 37,38 and 39 covers off the main elements around DPO.<\/p>\n\n\n\n
\u2026\u201dthis role will be critical to enabling companies of having a fighting chance of getting to grips with the new regulation\u201d<\/p>\n\n\n\n
When MUST you appoint a DPO?<\/strong><\/p>\n\n\n\n Article 37 states that under the GDPR, you must appoint a data protection officer (DPO) if you:<\/p>\n\n\n\n are a public authority (except for courts acting in their judicial capacity); It should also be noted that member states can also decide additional laws for the mandatory appointment for DPOs.<\/p>\n\n\n\n So, if you don\u2019t fit into the above then you don\u2019t need to mandatory appoint a DPO, but it is probably a wise thing not to cross it off your list, not having a DPO doesn\u2019t mean you have absolved yourself of the responsibilities of the position. Regardless of whether the GDPR obliges you to appoint a DPO, you must ensure that your organisation has sufficient staff and skills to discharge your obligations under the GDPR.<\/p>\n\n\n\n Some of the more flexible considerations are;<\/strong><\/p>\n\n\n\n You may appoint a single data protection officer to act for a group of companies or for a group of public authorities, taking into account their structure and size. Whichever method you choose to fulfil the requirements of a DPO you must publish the contact details of the DPO and communicate them to the supervisory authority. A key consideration for how you decide to approach this is in the requirement in Article 37 Clause 5 \u2013 \u201cThe data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.\u201d<\/p>\n\n\n\n Article 38 concentrates on the Position of the Data Protection Officer and this states;<\/p>\n\n\n\n Controllers and Processors shall;<\/strong><\/p>\n\n\n\n Ensure the DPO is involved, properly and in a timely manner, in all issues which relate to the protection of personal data. Ok, so it is pretty clear that the DPO position requires a particular set of skills that are not always that accessible within an organisation, equally the position needs access to the highest management and actually have the rights of the data subjects at the forefront of their thoughts when dispensing their duties. Organisations are going to have to perform in a very mature manner to ensure that the role has the independence required to operate without interference and ensure adherence to the regulation. The key point of a lack of conflict of interests precludes many existing positions (such as those responsible for security) from being appointed to the role in addition to their other duties.<\/p>\n\n\n\n Whilst discussing duties, here are the task of the DPO as defined by Article 39 of the regulation;<\/p>\n\n\n\n The data protection officer shall have at least the following tasks:<\/p>\n\n\n\n to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions; The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.<\/p>\n\n\n\n Ok, so time to draw breath, in an attempt to elevate the discussion here is the headline news version of all the above;<\/p>\n\n\n\n DPO isn\u2019t mandatory for all, but against the backdrop of the above is it something that can just be attended to on an as and when basis? Maybe when you step back it isn\u2019t that surprising that many organisations have struggled to identify where this naturally sits because in most companies it doesn\u2019t have a natural resting place because it presents such a fundamentally different approach, essentially it is an internal guardian of data subjects rights, as opposed to protecting the organisation it works for in the first instance. In time organisations will evolve with this, but it is a massive jump for many at this stage.<\/p>\n\n\n\n It is our belief that many will look to resource this externally, with a DPO as a Service (DPOaaS), as it avoids many of the struggles of resourcing internally, that is why we have created a dedicated service team focussed solely on DPOaaS. We have combined the Regulatory expertise with Compliance responsibility and integrated technology thought leadership to create a uniquely focussed service designed to interface with our clients to provide excellence in Data Protection Officer delivery.<\/p>\n","protected":false},"excerpt":{"rendered":" Who wants to be Data Protection Officer (DPO)? Find out if your business is mandated to have a DPO under GDPR, & the benefits of appointing an external DPO<\/p>\n","protected":false},"author":33,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[],"post_format_type":[40],"class_list":["post-1866","post","type-post","status-publish","format-standard","hentry","category-blog"],"acf":[],"yoast_head":"\n
carry out large scale systematic monitoring of individuals (for example, online behaviour tracking); or
carry out large scale processing of special categories of data or data relating to criminal convictions and offences.<\/p>\n\n\n\n
Take the DPO on the basis of a service contract<\/p>\n\n\n\n
Shall support the DPO in performing the tasks (article 39 has these) by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain their expert knowledge
Ensure the DPO does not receive any instructions regarding the exercise of those tasks. The DPO will not be dismissed or penalised by the controller or processor for performing their tasks
Report directly to the highest management level
Be contactable by Data Subjects with regard to all issues related to the processing of personal data and to the exercise of their rights (that\u2019s the data subject) under the Regulation
Be bound by secrecy or confidentiality concerning the performance of their tasks, in accordance with Member State Law.
Be able to perform other tasks, but there must be no tasks or duties that result in a conflict of interests.<\/p>\n\n\n\n
to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
to cooperate with the supervisory authority;
to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.<\/p>\n\n\n\n
The skills required to dispense the role are not typically found in one person, there is the need for legal\/regulation\/compliance knowledge but equally once the privacy elements are covered off you still have significant requirements to oversee areas that will involve technology.
The independence of the role makes it a difficult one to resource internally without falling foul of the \u201cconflict of interests\u201d, DPO\u2019s appointed from within might want to expect fewer invites to Christmas parties\u2026<\/p>\n\n\n\n