There’s a shortage, not just in the UK, but across the European Union, with 12 months to go before the EU General Data Protection Regulation (GDPR) is fully enforceable across all 28 Member States. The role of the DPO is at the heart of the new legal framework for data protection and privacy and facilitating compliance with the provisions of the GDPR. It’s also mandatory to appoint a DPO under Art.37(1), GDPR in three specific circumstances:
- Where the personal data processing is carried out by a public authority or body
- Where the core activities of the Data Controller, Joint Data Controller, or Data Processor consist of processing operations that require the regular and systematic monitoring of Data Subjects on a large scale
- Where the core activities of the Data Controller, Joint Data Controller or Data Processor consist of processing on a large scale of special personal data or personal data relating to criminal convictions and offences.
In the opinion of the UK Information Commissioner, Elizabeth Denham, if you’re wondering whether to appoint a DPO, then you should take the leap and appoint a DPO. Such an appointment will be a mitigating factor in your favour in the wake of a personal data breach and will be taken into account by the regulator.
Perhaps mindful that DPOs are a rare breed – a senior manager who has a combination of skills and training covering compliance, risk and technology – you may want to identify someone internally and ensure that they get the requisite training. This is certainly a more expedient and cost effective approach if the senior manager doesn’t have a conflict of interest and can also walk that fine line between the internal culture of the organisation and maintaining an independent, objective and external focus.
Interestingly, the latest guidance published by Article 29 Data Protection Working Party (Art 29 WP) recognises that in many cases, an organisation may be best served by a ‘Team DPO’ provided by an external service provider. In such arrangements, a team of individuals may effectively carry out the tasks of a DPO (Art.39, GDPR) under the responsibility of a designated lead contact for the client organisation.
This could be an attractive solution given that with a little over 12 months to go, organisations need to crack on with putting in place technical and organisational measures and will require a DPO to help advise and consult on what should be done in order to comply with the GDPR. Critically, this will include interfacing with HR, legal, IT, security, sales and marketing and other functions where there’s processing of personal data and special personal data.
The rule of thumb is that the more complex and/or sensitive the personal data processing operation, the more resources must be given to the DPO or Team DPO.
The monitoring of internal compliance with the GDPR is a big part of the job and in practical terms, this means Team DPO will need to:
- Collect information to identify personal data processing activities
- Analyse and check compliance of personal data processing activities
- Inform, advise and issue recommendations to the Data Controller, Joint Data Controller or Data Processor in the exercise of their corporate responsibilities as well as advise the ‘accountable individual’ at Board level where such responsibilities can carry criminal sanctions under the GDPR.
A very important task is the Data Protection Impact Assessment (DPIA) and the methodology best used to carry this out that’s appropriate for the organisation. This will help to prioritise very high risks to the rights and freedoms of Data Subjects (customers, clients and supporters) and provide a pathway for mitigating those risks to residual risks within the risk appetite of the organisation.
This is now less of a tick box exercise but much more about taking a pragmatic approach in order achieve outcomes, known as the risk-based approach to data protection under the GDPR. And this applies to the Data Controller, Joint Data Controller and the Data Processor.
Underpinning all of this is training – both for the DPO or Team DPO as well as all staff processing personal data within the organisation.
Whether it’s a managed service supplying the capability to fulfil the DPO function or whether it’s in-sourced, Art 29 WP state in the current guidance note that continuous training is a requirement under the GDPR:
DPOs must be given the opportunity to stay up to date with regard to developments within the field of data protection. The aim should be to constantly increase the level of expertise of DPOs and they should be encouraged to participate in training courses on data protection and other forms of professional development, such as participation in privacy fora, workshops, etc.
For information about the GDPR Transition Programme at Henley Business School, click here.