On May 25th 2018 the General Data Protection Regulation (GDPR) came into force. This new regulation promotes a culture of internal accountability and self-regulation for managing data protection. Many organisations (both data controllers and processors) have found they need to appoint a Data Protection Officer (DPO) under this new legal framework. Even when it is not mandatory to appoint a DPO, some organisations may find it useful to do so to help GDPR compliance
What does a Data Protection Officer do?
The Data Protection Officer’s role is to “inform and advise” the organisation and to monitor compliance with the GDPR. DPOs will also provide advice on Data Protection Impact Assessments (DPIAs) and cooperate and consult with the local Supervisory Authority (In Ireland, this is The Data Protection Commission). The DPO can also play a role in record-keeping which will enable them to perform their tasks of informing, advising and monitoring compliance. The Data Protection Officer will also be the point of contact for any individual who wishes to exercise their rights under the GDPR, for example, gain access to their data. Article 39 of the GDPR outlines the minimum set of tasks for a DPO.
Article 37 states that the DPO should be given all the resources they need to carry out the tasks as outlined in Article 39. They should report to the highest level of management in the organisation but cannot be instructed in how to perform their role and cannot be dismissed for carrying out their tasks. The DPO should have appropriate professional qualities as well as expertise in data protection law and practice
Do I need a DPO?
Determining if you need a DPO or not can be quite simple for some organisations but not so clear cut for others. The Article 29 Data Protection Working Party (WP29) is an independent EU data protection advisory body and they have published guidelines that can assist organisations to determine if they need to appoint a DPO.
Appointing a DPO is mandatory for an organisation if:
- You are a public authority or body (irrespective of what data is being processed)
- Your core activities consist of processing operations, which need regular and systematic monitoring of data subjects on a large scale
- Your core activities consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offences
The WP29 guidelines helpfully define the terms “Core Activities”, “Regular and Systematic” and Large Scale”
Need GDPR training for your company?
Our GDPR Essentials Program can be taken online by your staff at their own pace and is designed to help companies meet the GDPR requirement of raising awareness and training staff. Click here to visit our online school
The GDPR allows for the Data Protection Officer role to be outsourced to an external service provider. There are several reasons you may consider this option
1. Suitably skilled and experienced candidates are hard to find
According to one study, there will be a need for at least 75,000 Data Protection Officers worldwide because of the GDPR. It may be difficult (for SMEs in particular) to attract and keep this type of employee. The challenge will be to find an individual who is an expert in local and EU data protection law, has an in-depth understanding of the GDPR and holds supporting qualifications
2. The cost may be too high
Not all organisations will need a full-time DPO and may find it difficult to justify the expense of recruiting and paying a senior staff member in this role, not to mention the investment into continuous training and appropriately resourcing the DPO. An external DPO can be hired on an hourly or fixed-price basis and can be located remotely, on-site or a mix of both.
3. May not be able to meet the “Independence” requirement by hiring in-house
The GDPR requires the Data Protection Officer to act in an independent manner. This means their employer cannot instruct them in doing their job, cannot fire or penalise them for doing their job and there must be no conflict of interests with other tasks and duties. The WP29 guidelines advise that to remove conflict of interests, the DPO “should not hold a position that allows them to determine the purpose and the means of processing personal data”. The guidelines also advise that those at senior management or C-level positions are not suitable candidates for the role of DPO.
4. May be able to avail of other services offered by the external DPO
By outsourcing the role of DPO to an external company, organisations can rely on the skills of a whole team of professionals rather than one single individual. These teams can provide specific advice on record keeping, documentations and privacy in areas such as IT, Direct Marketing and HR. They can assist with Breach response and notification, handle subject access requests and can provide annual GDPR awareness training for staff
Determining whether to appoint a DPO is the first step your organisation should take. The decision-making process should be well documented and if you choose not to appoint a DPO, you should make note of the reasons for this. If a DPO is required and an external provider is the best option, your organisation should select many potential providers and carry out your own due diligence before deciding who to appoint. A service contract should then be put in place outlining the services required, the agreed fees, the structure of the role and a mechanism for addressing any issues should they arise
Note: Atlantic Compliance Ltd. is a data protection consultancy company providing services such as GDPR audits, gap analysis, data breach and access request management services as well as GDPR preparation workshops, online staff awareness training and an outsourced DPO service. Learn more at www.atlanticcompliance.eu