Author Gary Hibberd
General Data Protection Regulations (GDPR) are clear about many things. But the need for a designated ‘Data Protection Officer’ (DPO) seems to be confusing. Here is my take on the need for, and the ‘look and feel’ of a DPO.
What GDPR says about DPO’s.
The Regulation state, in Article 37 (‘Designation of the data protection officer’) that;
The controller and the processor shall designate a data protection officer in any case where:
(a) the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
(b) the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
(c) the core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10.
What does this mean?
The questions you need to ask yourselves are;
Are you a ‘public authority/body’?
Do your CORE activities involve ‘systematic monitoring’ on a ‘LARGE scale’?
Do you process data which could be classified as ‘Sensitive’ data? (sex, race, religion etc)
(Note: ‘LARGE’ relates to the relative population of what you’re processing. Eg. If there are 5,000 companies selling Top Hats in the UK and you process 2,500 then you process 50% of that market. That’s LARGE!)
If you say ‘Yes’ to any of the above then you MUST appoint a Data Protection Officer.
Should YOU appoint a DPO?
Because of the vast array of changes in the regulation my honest opinion is that you should look to appoint a DPO anyway. But you don’t need to hire a new person, you can make this part of a service contract. This would be similar to our ‘Virtual Security Officer’ or a contract with ‘HR Heroes’.
We see the role of the DPO being both Strategic and Tactical in nature. Meaning that they will strategically direct your business and ensure you maintain compliance with the GDPR, but will provide practical and tactical solutions that steer you in the right direction.
The Skills and Expertise of the DPO
Article 37(5) states that the DPO ‘shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39.’
If I were to write a Job Description for a DPO, it would look something like this;
Must have a good understanding of Data Protection regulations (does not need a legal background or be a legal expert)
Must have a good technical understanding of risk management techniques (ISO31000, COSO, ISO27005)
Must have detailed understanding (and practical experience) in implementing Security frameworks such as; Cyber Essentials, ISO27001, BS10012, PCI DSS, SANS20, NIST, CCM)
Must be able to work independently
Must be a strong communicator (verbally and written)
Must be organised
The Appointment of the DPO
The DPO in your organisation needs to also have the following structure in place to ensure they operate effectively, as their role is pivotal in ensuring the business meets compliance.
They should report directly to the CEO (or the highest levels of the business)
They should be independent
There must be no ‘Conflict of interest’ (e.g the Head of IT couldn’t be your DPO, as they might have a vested interest in hiding a breach or looking for cost savings).
They must be involved in key decisions involving Data Subjects (e.g. new processing methods)
If you’re interested in knowing more about the role of the DPO, you should refer to Section 4 of GDPR (Articles 37 – 39).
Whether you assign a DPO is (partially) down to you to decide. If you fall under the three areas set out in Article 37, then it’s mandatory. Otherwise, its voluntary.
My view is that the changes are so far reaching, that NOT appointing a suitably skilled DPO would be foolish. Open disclosure forces me to state that Agenci of course do provide ‘Outsourced DPO’ services. But this isn’t the purpose of this blog. The purpose is to get you thinking about your business and how you ensure you’re ready for GDPR, and that you’re able to manage once it comes into force on 25th May 2018.